[Zope] Re: eval in DTML
Terry Hancock
hancock at anansispaceworks.com
Sat Feb 7 10:46:05 EST 2004
On Friday 06 February 2004 03:47 pm, Kevin Carlson wrote:
> Thanks for the replies everyone. I was a little worried about the
> possibility of some malicious code being passed to the dtml but since
> the parameter in question is coming from an external database, it wasn't
> a huge possibility. Nonetheless, it was still a possibility so I did
> what was suggested below and created a python script to convert the text
> representation of the list to a list of integers, which is what is needed.
I hacked a version of Toby Dickensen's "MiniPickle" to create a
MiniPickle.py module in my Narya product, see:
http://cvs.sourceforge.net/viewcvs.py/narya-project/Narya1/Narya/Utility/MiniPickle.py
mini_dumps
This pickles data that you pass to it and converts it to hexcode (which is
just 0-9A-F and therefore safe for any string use, such as embedding in
Cookies or HTML forms).
The reverse operation mini_loads will then restore the data from the string.
The trick is, it won't do it unless the data is a BUILT-IN PYTHON OBJECT,
no functions, code objects, classes or class instances allowed -- only
static data. This should eliminate the hazard of encountering a "trojan"
object submitted by an untrusted client.
I use this in product code, but it can be used in an external method (as
the original mini-pickle implementation did). The main extension in my
module is the use of hexcode for storage (uncoded Python pickle format
will break HTTP cookies, as I found out the hard way).
This should generally be able to do the non-perilous things you could
do with 'eval', without much more effort. I've found it quite useful for
storing dictionaries, for example.
Note that if you REALLY need to store a class instance, you can
provide a means to pack extract the data, mini-pickle and store
*that*, then provide a wrapper to extend the data with the class
on load. This is basically the "pluggable brain" concept, although
I've found it easier to implement this myself than to try to use the
Zope pluggable brain mechanism (which is designed for
through-the-web development).
Cheers,
Terry
--
Terry Hancock ( hancock at anansispaceworks.com )
Anansi Spaceworks http://www.anansispaceworks.com
More information about the Zope
mailing list