OpenID Libraries should be stateless
Wichert Akkerman
wichert at wiggy.net
Tue Feb 5 03:32:06 PST 2008
Previously Ryan Ernst wrote:
> Currently I have "hacked" this by creating a dictionary for the
> Consumer.begin function and then using pickle to serialize the object and
> pass it as a get parameter as described above. This seems unnecessary if
> the manager didn't assume the same machine would be handling the complete
> step.
Never ever use pickles for something like that: the pickle format is not
just a marshalling format: a pickle can contain arbitraty python code
which is executed when the pickle is unpacked. That means that using
pickles opens an easy attack vector into your application.
Wichert.
--
Wichert Akkerman <wichert at wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
More information about the Dev
mailing list