View · Search · Index
No registered users in community xowiki
in last 10 minutes

[Xotcl] "Safe" deserialization

From: Scott Gargash <scottg_at_atc.creative.com>
Date: Wed, 26 Jul 2006 09:25:36 -0600

There's been a lot of back-and-forth on the comp.lang.tcl and the Tcl'ers wiki lately about handling
user input safely.

Currently I'm using serialized XOTcl objects as user session data. The data gets saved to a file,
and "source" is used to restore it. It all works well. But since the data is on the filesystem,
it's possible for a user to edit the data or to load an arbitrary file ("Try this session...").

It seems like the standard Tcl answer is to source the session file in a safe interpreter, but (I
think) that means I would need to alias all my XOTcl object constructors into the safe interpreter.
Is this correct? Is there an easy way to do this?

How do others deal with this sort of issue?

      Scott


Notice
The information in this message is confidential and may be legally privileged. It is intended
solely for the addressee. Access to this message by anyone else is unauthorized. If you are not
the intended recipient, any disclosure, copying or distribution of the message, or any action
taken by you in reliance on it, is prohibited and may be unlawful. If you have received this
message in error, please delete it and contact the sender immediately. Thank you.