[Answered ]-Passing a serialized object through a URL

1👍

If you need to share data between views, do it with the session. That’s what sessions are made for. Session info is stored in the database by default, but it doesn’t have to be, you can also use the filesystem, some caching system (memcache, Redis, etc), or signed-cookies (Django 1.4+ only).

See:

1👍

Is this a security risk?

If the serialisation you are using is pickle then yes that is definitely a problem, as alluded to on the doc:

Never unpickle data received from an untrusted or unauthenticated source

Use a form of serialisation designed only to hold safe static values (eg JSON).

You can protect a value that you send to the client side from tampering by signing it with a MAC, eg using hmac. You may need to consider adding other properties to the MAC-signed data such as username or timestamp, to prevent signed data blocks being freely interchangeable, if that’s a threat to whatever integrity you are trying to achieve.

If you also need to protect the value from being viewed and interpreted by the client side user you would need to use an encryption algorithm (eg AES – not part of stdlib) in addition to the signing.

(I still wouldn’t personally trust a MAC-signed and encrypted pickle. Even though it would need the server-side secret to be leaked to make it exploitable, you don’t really want an information-leakage vulnerability to escalate to an arbitrary-code-execution vulnerability, which is what pickle represents.)

0👍

It is not the best option, since URL parameter fields will show in server logs. You’re
probably better of sending data with POST method or better yet, creating a rudimentary database (if you don’t have access to anything else, use Sqlite) and just pass the ID to the next screen.

Leave a comment