Hi,
you can use json for passing list and dict .
Pickle is dangerous .
Instead of pickle.loads/pickle.dumps use json.loads and json.dumps
(using stdlib json in python >= 2.6 or simplejson in python < 2.6)
Regards
Le Thu, 18 Nov 2010 09:29:00 +0100,
Romaric DEFAUX <r...@audaxis.com> a écrit :
> Le 17/11/2010 18:52, geremy condra a écrit :
> > On Wed, Nov 17, 2010 at 6:44 AM, Romaric DEFAUX<r...@audaxis.com> wrote:
> >
> >> Le 16/11/2010 17:47, Romaric DEFAUX a écrit :
> >>
> >>> Hi everybody !
> >>>
> >>> First time I write to this mailing list :)
> >>> I started writing in python last week, that's probably why I can't
> >>> understand the following problem...
> >>>
> >>>
> >>> I create a list called web_site_list.
> >>> This list contain dictionaries called web_site.
> >>> And some values in this dictionaries are list too.
> >>>
> >>> I do that in a function and I return this :
> >>> return pickle.dumps(web_site_list)
> >>>
> >>> This is working fine :)
> >>>
> >>> If I do :
> >>> print "%s" % pickle.loads(system.get_web_site_list())
> >>>
> >>> I've got the right stuffs. For example it returns :
> >>> [{'documentroot_size': '120', 'servername': '---default---', 'client':
> >>> 'undefined', 'documentroot': '/var/www/', 'client_contact': 'undefined',
> >>> 'serveralias': []}]
> >>>
> >>> I send this to a web service. I send it like that :
> >>> #I put it in params
> >>> def system_updateweb_site(server, login, password):
> >>> params = {}
> >>> params['login'] = login
> >>> params['password'] = password
> >>> params['action'] = 'updateweb_site'
> >>> params['servername'] = get_servername()
> >>> params['hosted_web_site'] = get_web_site_list()
> >>> return call_system_ws(server, params)
> >>>
> >>> #Here's how I send it (I tried in GET and POST)
> >>> def call_system_ws(host, params):
> >>> query_string = urllib.urlencode(params)
> >>> #GET
> >>> # f = urllib.urlopen("http://%s/ws?%s"; % (host, query_string))
> >>> #POST
> >>> f = urllib.urlopen("http://%s/ws"; % (host), query_string)
> >>> result = f.readline().strip()
> >>> if result == 'ERROR':
> >>> msg = f.readline().strip()
> >>> return (False, msg)
> >>> return (True, result)
> >>>
> >>>
> >>> On the server side :
> >>> if action == 'updateweb_site':
> >>> if not (fields.has_key('servername') and
> >>> fields.has_key('hosted_web_site')):
> >>> raise WSError('missing parameter :
> >>> servername or hosted_web_site')
> >>> log ('ERROR : missing parameter :
> >>> servername or hosted_web_site')
> >>> else:
> >>>
> >>> servername=g.db.escape_string(fields['servername'])
> >>>
> >>> hosted_web_site=g.db.escape_string(fields['hosted_web_site'])
> >>> output =
> >>> systemserver.updateweb_site(cursor, servername, hosted_web_site)
> >>>
> >>> In systemserver.py :
> >>> def updateweb_site(cursor, host, hosted_web_site):
> >>> web_site_list = pickle.loads(hosted_web_site)
> >>> return "%s" % (web_site_list)
> >>>
> >>> I catch this error :*
> >>>
> >>> <type 'exceptions.EOFError'>*:
> >>>
> >>> args = ()
> >>> message = ''
> >>>
> >>> Why ?
> >>>
> >>> If I just print hosted_web_site, I get this on my web page :
> >>>
> >>>
> >>> (lp0\n(dp1\nS\'documentroot_size\'\np2\nS\'120\'\np3\nsS\'servername\'\np4\nS\'default\'\np5\nsS\'client\'\np6\nS\'undefined\'\np7\nsS\'documentroot\'\np8\nS\'/var/www/\'\np9\nsS\'client_contact\'\np10\ng7\nsS\'serveralias\'\np11\n(lp12\nsa.
> >>>
> >>> It's the "pickled view" of
> >>> [{'documentroot_size': '120', 'servername': '---default---', 'client':
> >>> 'undefined', 'documentroot': '/var/www/', 'client_contact': 'undefined',
> >>> 'serveralias': []}]
> >>>
> >>> Can someone help me please ? I spend my afternoon to google to try to find
> >>> a solution...
> >>>
> >>>
> >>> Thanks in advance !!!
> >>>
> >>> Romaric Defaux
> >>>
> >>>
> >> After entirely rewrite my code to not use Web service but socket (a real
> >> client/server program) I finally found the problem... And it's not linked
> >> to
> >> the POST or GET method...
> >> It's because of that :
> >> g.db.escape_string(fields['hosted_web_site'])
> >> (escape_string is the function in MySQLdb library)
> >> It escapes the simple quote of the pickled object, and break it...
> >>
> >> It's good to know, NEVER escape a pickled object :)
> >>
> >> Romaric Defaux
> >>
> > I'm not sure I understand what you're doing here, but I trust you've
> > read about and understand the security problems with pickle?
> >
> > Geremy Condra
> >
> I read quickly the security problems with pickle. But I don't feel
> concern about that because I run my program in a private network, not
> over internet. And now I use socket to communicate on a non-standard
> port, not anymore web service on the 80 port. If I plan to run it
> through wan, I will encrypt datas for sure with SSL or something like
> that :)
>
> Romaric Defaux
>
--
http://mail.python.org/mailman/listinfo/python-list
