Chris McDonough <chr...@plope.com> added the comment: I need to take back the assumption of "monstrous, disastrous security hole" wrt. using the pickle module (or eval, as you suggest) because in this particular case, the cookie content is hashed and compared against a digest that includes a secret, so it's unlikely that anything not explicitly put into the cookie by the software will be unpickled.
On the other hand, however, for the sake of future maintainers, who may not get this particular joke (and who may end up innocently changing the code in a way that introduces a security hole), I think it's probably wise to stay clear of passing values obtained from a cookie (even though the data isn't 100% 'untrusted' due to the digest) to any Python function that has the capability to run arbitrary code based on the value that is passed to it such as eval or pickle.loads. For the record, the current implementation already has a bug that is going to require us to set the userid value to something other than a plain unencoded bytestring anyway (http://bugs.repoze.org/issue98). This will need to be fixed at some point, and at that point, the userid will become even more opaque (probably base64 encoded). I don't understand the problem you're trying to solve by removing the type declaration. As it stands, if the userid used by your application and passed into the plugin (let's say, via "plugin.remember") is unicode, you'll get unicode back as the value of environ['repoze.who.identity']['repoze.who.userid'] when there's an authtkt cookie present at ingress. If it's an integer you pass in, you'll get an integer back. If it's a bytestring, you'll get a bytestring back. A 'charset' value is immaterial here: if the value is unicode, you won't need it; if the value is a bytestring, you *already* need to handle the decoding explicitly. What am I missing? __________________________________ Repoze Bugs <b...@bugs.repoze.org> <http://bugs.repoze.org/issue101> __________________________________ _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
