Chris McDonough <> added the comment:

I need to take back the assumption of "monstrous, disastrous security hole" 
wrt. using the 
pickle module (or eval, as you suggest) because in this particular case, the 
cookie content is 
hashed and compared against a digest that includes a secret, so it's unlikely 
that anything not 
explicitly put into the cookie by the software will be unpickled.

On the other hand, however, for the sake of future maintainers, who may not get 
this particular 
joke (and who may end up innocently changing the code in a way that introduces 
a security 
hole), I think it's probably wise to stay clear of passing values obtained from 
a cookie (even 
though the data isn't 100% 'untrusted' due to the digest) to any Python 
function that has the 
capability to run arbitrary code based on the value that is passed to it such 
as eval or 

For the record, the current implementation already has a bug that is going to 
require us to set 
the userid value to something other than a plain unencoded bytestring anyway  
(  This will need to be fixed at some point, 
and at that point, the 
userid will become even more opaque (probably base64 encoded).

I don't understand the problem you're trying to solve by removing the type 
declaration.  As it 
stands, if the userid used by your application and passed into the plugin 
(let's say, via 
"plugin.remember") is unicode, you'll get unicode back as the value of 
environ['repoze.who.identity']['repoze.who.userid'] when there's an authtkt 
cookie present at 
ingress.  If it's an integer you pass in, you'll get an integer back.  If it's 
a bytestring, you'll get a 
bytestring back.

A 'charset' value is immaterial here: if the value is unicode, you won't need 
it; if the value is a 
bytestring, you *already* need to handle the decoding explicitly.  What am I 

Repoze Bugs <>
Repoze-dev mailing list

Reply via email to