Alberto Valverde <[EMAIL PROTECTED]> writes:
The easiest way IMO would be to pickle a FormState (unimplemented) object and
encrypt that. That object could be extended if a need for something similar
Hmmm... I don't think so. What if I have dynamic controls that enable /
disable fields according to their selection? I'd need to update this state
somehow on the "hash".
arises in the future. However, is it safe to do so? I mean, objects should
not be un-pickled from untrusted sources because the possibility of remote
code execution exists... The pickle docs say:
""Warning:
The pickle module is not intended to be secure against erroneous or
maliciously constructed data. Never unpickle data received from an untrusted
or unauthenticated source."""
Would encrypting it make it secure enough?
I don't think that anything that needs to be updated / tampered on client side
will do it... Maybe we should pass more information or find a different
approach for validation. Maybe requiring more steps -- e.g. letting the
developer update something when he enables/disables some element -- but
providing an API that will take those changes into account.
--
Jorge Godoy <[EMAIL PROTECTED]>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
