Thank you Jens Vagelpohl for the example on unwrapping the object -- yes this is from product code, not a script. I thought it was weird that there was a difference between an external method and a product method -- perhaps the external method has this unwrapping done for it? Chris McDonough wrote:
FWIW, allowing Zope to unpickle data that it receives remotely is a pretty big security risk. It sounds like you probably know this and it's "OK" in your case, but just wanted to send a message to make sure..
On Wednesday, July 3, 2002, at 05:54 , Terry Hancock wrote:
For good or ill, I used a variation of the MiniPickle module (see the example on zope.org) to pack python data structures into a cookie. (I had to add an extra hex-encoding part to make legal cookies).
Yes, I know it can be. Supposedly MiniPickle restricts itself to "safe" data structures, and won't unpack code objects (or any user-defined objects). It's just a way to avoid parsing a dictionary. It's actually pretty similar to Zope's tree state cookie in function, or like a bookmark. Since I'm using Zope 2.5.1, the possibility exists of moving to Sessions instead of cookies -- but I'm not sure what the consequences of that are (it would seem that at least my server would have to maintain a data structure for every logged-in user, which doesn't *seem* too efficient to me, but I haven't analyzed the problem yet). Anyway it's only about 100-500 bytes of data, so I don't want to spend a lot of effort on it. I consider "fixing" it a second-order problem, the important thing currently is that it works somehow. Cheers, Terry -- ------------------------------------------------------ Terry Hancock hancock@anansispaceworks.com Anansi Spaceworks http://www.anansispaceworks.com P.O. Box 60583 Pasadena, CA 91116-6583 ------------------------------------------------------