Python pickle and web framework security.

Some python web frame works are using pickle to store session data. Pickle is a well known poor choice for secure systems. However it seems to be more widely known by those writing network applications, than those making web frameworks.

Is your web framework using pickle for sessions despite the warnings in the python documentation about it being insecure?

By using sessions with pickle people who can write to the database servers session table can execute code on the app server. Or people who can get data into the session file/memcache data store can execute data.

This might be an issue if the database server is run by separate people than the app server. Or if the session table is compromised by an sql injection attack elsewhere.

There are some more secure ways of storing pickled data.

Pickle is deemed to be untrustworthy for data. In that it is not certain that code can not be snuck into the data that will be executed by pickle. So if some data from user input is put into the pickle, then it is possible that code could be run.

There are some people who know more about how to exploit pickle, however the warning in the python documentation is this:

The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source."""

Cerealizer might be an alternative option...

Or maybe these other two.


philhassey said…
gee, i was looking for some code to do that stuff a few months ago! very nice.

(another interesting option is YAML - )
Matt Franz said…
So this really don't say anything as to why pickles are more or less secure than other ways of persisting data: ASCII, XML, CSV, sqlite or a real database? And what are the attack vectors? Are you talking about an (HTTP?) client/server application reading/writing pickles on the wires or a web framework storing session data on the filesystem?
Which web frameworks use pickles? WIs cPickle more insecure than python pickles. Is shelve just as insecure.

Popular posts from this blog

Is PostgreSQL good enough?

Experiments with new low latency PyPy garbage collector in a thread.

🐱‍🏍 — the first pygame 2 community game. Starting now! Are you in?