[Zope] pickling error

Terry Hancock hancock@anansispaceworks.com
Thu, 04 Jul 2002 06:52:53 -0700


Thank you Jens Vagelpohl for the example on unwrapping
the object -- yes this is from product code, not a
script. I thought it was weird that there was a difference
between an external method and a product method --
perhaps the external method has this unwrapping done
for it?

Chris McDonough wrote:
> FWIW, allowing Zope to unpickle data that it receives remotely is a
> pretty big security risk.  It sounds like you probably know this and
> it's "OK" in your case, but just wanted to send a message to make sure..
> 
> > On Wednesday, July 3, 2002, at 05:54 , Terry Hancock wrote:
> >> For good or ill, I used a variation of the MiniPickle
> >> module (see the example on zope.org) to pack python data
> >> structures into a cookie.  (I had to add an extra
> >> hex-encoding part to make legal cookies).

Yes, I know it can be. Supposedly MiniPickle restricts
itself to "safe" data structures, and won't unpack code
objects (or any user-defined objects). It's just a way
to avoid parsing a dictionary.  It's actually pretty
similar to Zope's tree state cookie in function, or
like a bookmark.

Since I'm using Zope 2.5.1, the possibility exists of
moving to Sessions instead of cookies -- but I'm not
sure what the consequences of that are (it would seem
that at least my server would have to maintain a data
structure for every logged-in user, which doesn't *seem*
too efficient to me, but I haven't analyzed the problem
yet).  Anyway it's only about 100-500  bytes of data, 
so I don't want to spend a lot of effort on it.  I
consider "fixing" it a second-order problem, the
important thing currently is that it works somehow.

Cheers,
Terry

-- 
------------------------------------------------------
Terry Hancock
hancock@anansispaceworks.com       
Anansi Spaceworks                 
http://www.anansispaceworks.com 
P.O. Box 60583                     
Pasadena, CA 91116-6583
------------------------------------------------------