Hi, if the code below is doing what I think it's doing, i.e. unpickling that field, you're opening yourself up to arbitrary code execution. Unpickle should never be used with strings that come the user. Cheers, Tavis
On Tuesday 16 September 2003 01:32, deelan wrote: > if self.postback: > # items holds all form widgets > self.items = deserializeItems(request.fields(VIESTATE, '')) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
