[Xotcl] "Safe" deserialization

Scott Gargash scottg at atc.creative.com
Wed Jul 26 17:25:36 CEST 2006






There's been a lot of back-and-forth on the comp.lang.tcl and the Tcl'ers wiki lately about handling
user input safely.

Currently I'm using serialized XOTcl objects as user session data. The data gets saved to a file,
and "source" is used to restore it.  It all works well.  But since the data is on the filesystem,
it's possible for a user to edit the data or to load an arbitrary file ("Try this session...").

It seems like the standard Tcl answer is to source the session file in a safe interpreter, but (I
think) that means I would need to alias all my XOTcl object constructors into the safe interpreter.
Is this correct? Is there an easy way to do this?

How do others deal with this sort of issue?

      Scott


Notice
The information in this message is confidential and may be legally privileged.  It is intended
solely for the addressee.  Access to this message by anyone else is unauthorized.  If you are not
the intended recipient,  any disclosure,  copying or distribution of the message,  or any action
taken by you in reliance on it,  is prohibited and may be unlawful.  If you have received this
message in error,  please delete it and contact the sender immediately.  Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://alice.wu-wien.ac.at/pipermail/xotcl/attachments/20060726/87e1528a/attachment.html


More information about the Xotcl mailing list