[Keeping [EMAIL PROTECTED] in the loop for the archive]

On Fri, May 26, 2000 at 02:05:42PM +0100, Steve Alexander wrote:
> Martijn Pieters wrote:
> > On Fri, May 26, 2000 at 11:05:23AM +0100, Steve Alexander wrote:
> > > Here's a very silly idea:
> > >
> > > Could you pickle and Base64 encode the data you want to pass, and then
> > > shove it in a single hidden control?
> > 
> > I am afraid that is a very silly security hole. Anyone can replace that pickle
> > with any other pickle, which the server will then instanciate. Anything goes.
> 
> I *knew* there was some reason it was silly as I was typing it :-)
> 
> Shame there's no "safe pickle option" that allows only numbers, strings,
> lists, tuples and dictionaries.

There is actually. It's called marshal:

  http://www.python.org/doc/current/lib/module-marshal.html

which supports just that list of types, plus code objects.

-- 
Martijn Pieters
| Software Engineer    mailto:[EMAIL PROTECTED]
| Digital Creations  http://www.digicool.com/
| Creators of Zope       http://www.zope.org/
|   The Open Source Web Application Server
---------------------------------------------

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to