On Jan 8, 2007, at 2:55 PM, Jorge Godoy wrote:
Alberto Valverde <[EMAIL PROTECTED]> writes:
The easiest way IMO would be to pickle a FormState
(unimplemented) object and
encrypt that. That object could be extended if a need for
something similar
Hmmm... I don't think so. What if I have dynamic controls that
enable /
disable fields according to their selection? I'd need to update
this state
somehow on the "hash".
Phew! Then I can't think of a safe way to do that... How can you
trust JS code to decide which fields should skip validation? I think
that that hidden field should only serve as a vehicle to pass state
from the method displaying the form to the method validating input
across requests. Maybe that JS code could call server code
asyncronously to obtain a new encrypted hidden field (letting the
server side code decide if it allows changing state) but I fear this
is getting overly complicated and could be a source of nasty security
holes if not carefully implemented...
arises in the future. However, is it safe to do so? I mean,
objects should
not be un-pickled from untrusted sources because the possibility
of remote
code execution exists... The pickle docs say:
""Warning:
The pickle module is not intended to be secure against erroneous or
maliciously constructed data. Never unpickle data received from
an untrusted
or unauthenticated source."""
Would encrypting it make it secure enough?
I don't think that anything that needs to be updated / tampered on
client side
will do it... Maybe we should pass more information or find a
different
approach for validation. Maybe requiring more steps -- e.g.
letting the
developer update something when he enables/disables some element --
but
providing an API that will take those changes into account.
Ideas?
Alberto
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
