headers
ggbaker | 13 Mar 2004 08:19
Picon
Picon
Favicon

safe pickle?

Is there a version of pickle that can be sfaely used with non-trusted 
data?  It would be very nice to be able to do something like this in a 
CGI script:

    print '<input type="hidden" name="state" value="' + \
            cgi.escape( safepickle(stateinfo) ,True) + '" />'

    # in next script
    stateinfo = safeunpickle(form["state"].value)

Of course, the actual contents of the stateinfo variable would be 
untrusted at this point, but that's always there with submitted data.

The pickle.load function is advertized as unsafe with untrusted data.  
Is there anything similar that is safe?  Obviously, it would have to be 
more restricted than pickle.

Greg Baker, Lecturer
School of Computing Science
Simon Fraser University
Burnaby, BC, V5A 1S6
E-mail: ggbaker@...

_______________________________________________
Web-SIG mailing list
Web-SIG@...
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/gcpw-web-sig%40m.gmane.org
(Continue reading)

Permalink | Reply | 3 comments |
headers
William Dode | 13 Mar 2004 11:24
Favicon

Re: safe pickle?

ggbaker@... writes:

> Is there a version of pickle that can be sfaely used with non-trusted 
> data?  It would be very nice to be able to do something like this in a 
> CGI script:
>
>     print '<input type="hidden" name="state" value="' + \
>             cgi.escape( safepickle(stateinfo) ,True) + '" />'
>
>     # in next script
>     stateinfo = safeunpickle(form["state"].value)
>
> Of course, the actual contents of the stateinfo variable would be 
> untrusted at this point, but that's always there with submitted data.
>
> The pickle.load function is advertized as unsafe with untrusted data.  
> Is there anything similar that is safe?  Obviously, it would have to be 
> more restricted than pickle.

I think you should use a sessionID and pickle inside the server... Even
if pickle was safe you could always have problem with incoherent data.

You can also look at yaml to pickle data in a safer way.

bye

--

-- 
William - http://flibuste.net

_______________________________________________
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ian Bicking | 13 Mar 2004 21:16
Gravatar

Re: safe pickle?

On Mar 13, 2004, at 1:19 AM, ggbaker@... wrote:
> Is there a version of pickle that can be sfaely used with non-trusted
> data?  It would be very nice to be able to do something like this in a
> CGI script:
>
>     print '<input type="hidden" name="state" value="' + \
>             cgi.escape( safepickle(stateinfo) ,True) + '" />'
>
>     # in next script
>     stateinfo = safeunpickle(form["state"].value)
>
> Of course, the actual contents of the stateinfo variable would be
> untrusted at this point, but that's always there with submitted data.

You need to sign your pickle.  Briefly, you have a server-side secret 
(a string); you concatenate that secret string with the pickle string, 
and make a hash of that (using md5 or sha1), and put that in a second 
hidden field.  When you get the hidden pickle field back, you 
reconstruct that hash and check it against the hash you received -- if 
it matches, then you know it's the same pickle you gave them.

--
Ian Bicking | ianb@... | http://blog.ianbicking.org

_______________________________________________
Web-SIG mailing list
Web-SIG@...
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/gcpw-web-sig%40m.gmane.org
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ng Pheng Siong | 14 Mar 2004 03:00
Favicon

Re: safe pickle?

On Sat, Mar 13, 2004 at 02:16:22PM -0600, Ian Bicking wrote:
> >Of course, the actual contents of the stateinfo variable would be
> >untrusted at this point, but that's always there with submitted data.
> 
> You need to sign your pickle.  Briefly, you have a server-side secret 
> (a string); you concatenate that secret string with the pickle string, 
> and make a hash of that (using md5 or sha1), and put that in a second 
> hidden field.  When you get the hidden pickle field back, you 
> reconstruct that hash and check it against the hash you received -- if 
> it matches, then you know it's the same pickle you gave them.

OP may also wish to add an expiry timestamp into the mix, to prevent
replay attacks. This may be in the pickled data or added with the hashing
key.

See AuthCookies in M2Crypto (url in .sig) for an implementation.

--

-- 
Ng Pheng Siong <ngps@...> 

http://firewall.rulemaker.net -+- Firewall Change Management & Version Control
http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL

_______________________________________________
Web-SIG mailing list
Web-SIG@...
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/gcpw-web-sig%40m.gmane.org
(Continue reading)

Permalink | Reply | 0 comments |
headers
Aaron Brady | 17 Mar 2004 11:58
Picon
Picon

Shameless self promotion, and serious question.

http://insom.me.uk/blog/Tech/Python/templating.writeback

Rather than come up with YAPWF (Python Web Framework), what would be
people's thoughts on stripping down Quixote to it's bare minimum (I'm
thinking, removing PTL and letting people use what they want;
TAL/Cheetah/"".join()) and that being a contender for the standard
library?

The code base is a joy to work with, so I'd have no problem doing it, if
it sounds like a reasonable idea? (In fairness, there's not a lot of
baggage to strip out!).

Aaron

--

-- 
"Lack of planning on your part, does not constitute an
emergency on my part."
 -- Office Wisdom (stolen from NooneCasey.ie)

_______________________________________________
Web-SIG mailing list
Web-SIG@...
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/gcpw-web-sig%40m.gmane.org
Permalink | Reply | 6 comments |
headers
A.M. Kuchling | 17 Mar 2004 12:59
Picon
Gravatar

Re: Shameless self promotion, and serious question.

On Wed, Mar 17, 2004 at 10:58:42AM +0000, Aaron Brady wrote:
> Rather than come up with YAPWF (Python Web Framework), what would be
> people's thoughts on stripping down Quixote to it's bare minimum (I'm
> thinking, removing PTL and letting people use what they want;

Note that PTL is already optional; simply never import and call
enable_ptl(), and the PTL import hook is never installed.  As you've
discovered, it's not too difficult to use alternative templating schemes;
you've used Cheetah, and I wrote up a recipe for using ZPT
(http://www.quixote.ca/qx/TemplatingWithZpt).  The ptl_compile and
ptl_import modules only add up to around 500 lines, so it wouldn't reduce
the code size of Quixote very much.

--amk

_______________________________________________
Web-SIG mailing list
Web-SIG@...
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/gcpw-web-sig%40m.gmane.org
Permalink | Reply | 0 comments |
headers
Titus Brown | 17 Mar 2004 17:47
Picon
Favicon

Re: Shameless self promotion, and serious question.

-> http://insom.me.uk/blog/Tech/Python/templating.writeback
-> 
-> Rather than come up with YAPWF (Python Web Framework), what would be
-> people's thoughts on stripping down Quixote to it's bare minimum (I'm
-> thinking, removing PTL and letting people use what they want;
-> TAL/Cheetah/"".join()) and that being a contender for the standard
-> library?
-> 
-> The code base is a joy to work with, so I'd have no problem doing it, if
-> it sounds like a reasonable idea? (In fairness, there's not a lot of
-> baggage to strip out!).

I like and use Quixote, so of course I'm in favor.

But I don't see any particular reason to push it into the standard
library over e.g. Webware, which the group I work in uses and also
likes.

These two frameworks support very different programming styles,
some of which may be better suited for some jobs, and some people, than
others.

I'd be more interested in seeing a standardized connection system (e.g.
SCGI) than anything else.  Where to draw the line is a tough question,
but I think the http_request and http_response aspects of Quixote
(originally taken from Zope, ne c'est pas?) are quite useful and
could be made universal.

cheers,
--titus
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ian Bicking | 17 Mar 2004 17:58
Gravatar

Re: Shameless self promotion, and serious question.

Aaron Brady wrote:
> Rather than come up with YAPWF (Python Web Framework), what would be
> people's thoughts on stripping down Quixote to it's bare minimum (I'm
> thinking, removing PTL and letting people use what they want;
> TAL/Cheetah/"".join()) and that being a contender for the standard
> library?

What would the goal be in this? (I ask non-rhetorically)

Or, coming from the other direction (from tabula rasa, instead of from 
quixote), what would you specifically bring in from quixote?

I'd still love to see a standard request and response -- any request and 
response, as long as it isn't too terribly annoying (like FieldStorage).

Besides the request and response, I suppose there is the publisher.  I'm 
less certain of its general applicability.

   Ian

_______________________________________________
Web-SIG mailing list
Web-SIG@...
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/gcpw-web-sig%40m.gmane.org
Permalink | Reply | 3 comments |
headers
Paul Boddie | 17 Mar 2004 18:15
Picon

RE: Shameless self promotion, and serious question.

> I'd still love to see a standard request and response -- any request and
> response, as long as it isn't too terribly annoying (like FieldStorage).
> Besides the request and response, I suppose there is the publisher.  I'm
> less certain of its general applicability.

More self-promotion, but what do you think of the WebStack stuff I announced
on PyPI?

http://www.python.org/pypi?:action=display&name=WebStack&version=0.2

There's a single transaction class which manages access to request and
response information - it's done that way because some frameworks make
little distinction between requests and responses, or at least not enough to
justify two distinct classes. I've found some aspects of current framework
support to be rather irritating - FieldStorage is just one part of that -
and sometimes one wonders if it's really possible to make a sane layer of
functionality without undoing the dubious design decisions of various
frameworks and then having to reimplement that sanity, afresh, on top.

Paul

_______________________________________________
Web-SIG mailing list
Web-SIG@...
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/gcpw-web-sig%40m.gmane.org
Permalink | Reply | 2 comments |
headers
Aaron Brady | 17 Mar 2004 20:16
Picon
Picon

Re: Shameless self promotion, and serious question.

IB> What would the goal be in this? (I ask non-rhetorically)
IB>
IB> Or, coming from the other direction (from tabula rasa, instead of from
IB> quixote), what would you specifically bring in from quixote?
IB>
IB> I'd still love to see a standard request and response -- any request and
IB> response, as long as it isn't too terribly annoying (like FieldStorage).
IB>
IB> Besides the request and response, I suppose there is the publisher.  I'm
IB> less certain of its general applicability.

Well I was thinking about request, response and publisher, though now that
I think about it, publisher is not as general as I thought.

Quixote's req/res are based off of Zope, albeit a version from the distant
past, and I've found them to be pretty comprehensive. They could be
reasonable easily layered on top of CGI too.

Aaron

_______________________________________________
Web-SIG mailing list
Web-SIG@...
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/gcpw-web-sig%40m.gmane.org
Permalink | Reply | 1 comment |

Gmane