Am 17.01.2006 um 13:36 schrieb Matthew Bevan:
I've updated my local tg_flash routines to support pickling - my
application
requires a dictionary with "class", "label", and "message"
elements, for
example.
The change is 100% backwards compatible and adds a few bytes of
overhead in
the general case of a simple string. Tests could be made to
prevent even
that.
Unfortunately, it is a security risk. flash is currently implemented
as a cookie, and a malicious client could send a carefully crafted
pickle that can execute arbitrary python code. (This is the very same
reason why SerialCookie and SmartCookie in the Cookie module of the
standard library are deprecated.)
I attempted to make a patch, but I borked it at the last moment and
now have
no source reference... d'oh!
Never mind, I made a patch that avoids cookies, and thus the security
risk. My patch lets you use arbitrary objects with flash.
See #297 in trac:
http://trac.turbogears.org/turbogears/ticket/297
ciao
Martina
