Re: [Zope] Passing all POST variables?
[Keeping zope@zope.org in the loop for the archive] On Fri, May 26, 2000 at 02:05:42PM +0100, Steve Alexander wrote:
Martijn Pieters wrote:
On Fri, May 26, 2000 at 11:05:23AM +0100, Steve Alexander wrote:
Here's a very silly idea:
Could you pickle and Base64 encode the data you want to pass, and then shove it in a single hidden control?
I am afraid that is a very silly security hole. Anyone can replace that pickle with any other pickle, which the server will then instanciate. Anything goes.
I *knew* there was some reason it was silly as I was typing it :-)
Shame there's no "safe pickle option" that allows only numbers, strings, lists, tuples and dictionaries.
There is actually. It's called marshal: http://www.python.org/doc/current/lib/module-marshal.html which supports just that list of types, plus code objects. -- Martijn Pieters | Software Engineer mailto:mj@digicool.com | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | The Open Source Web Application Server ---------------------------------------------
On Fri, 26 May 2000 15:14:56 +0200, Martijn Pieters <mj@digicool.com> wrote:
Shame there's no "safe pickle option" that allows only numbers, strings, lists, tuples and dictionaries.
There is actually. It's called marshal:
http://www.python.org/doc/current/lib/module-marshal.html
which supports just that list of types, plus code objects.
Or look at http://www.zope.org/Members/htrd/howto/MiniPickle if you need: * Recusive data structures * Compatability with the next version of python Toby Dickenson tdickenson@geminidataloggers.com
participants (2)
-
Martijn Pieters -
Toby Dickenson