About using python pickles in a secure way

More a internal note than a real post.

A discussion about the use of python pickles in a secure way:

http://bytes.com/forum/thread19811.html

The scoop is:

either sign pickles using HMAC
or disable unpickling of global objects

Example:

import cStringIO
import cPickle

def dumps(obj):
        f = cStringIO.StringIO()
        p = cPickle.Pickler(f,1)
        p.dump(obj)
        return f.getvalue()

def loads(s):
        f = cStringIO.StringIO(s)
        p = cPickle.Unpickler(f)
        p.find_global = None
        return p.load()

Fun :)

Document Actions

Send this
Print this

Previous: Deployment using fabric Next: MAC: speed up macports install sessions Right arrow

Links: Hardware: Evil Mad Scientist Lab; Hardware: Wiring; More…

Powered by Plone
Valid XHTML
Valid CSS
Section 508
WCAG