Commits

Nate Coraor committed 2a756ca Merge

Apply 2014.07.30 security fix to release_2014.02.10

Comments (0)

Files changed (3)

 1ae95b3aa98d1ccf15b243ac3ce6a895eb7efc53 release_2013.08.12
 26f58e05aa1068761660681583821e21e6cbf7ab release_2013.11.04
 5e605ed6069fe4c5ca9875e95e91b2713499e8ca release_2014.02.10
+6b0bd93038a843b1585155f0d63f0eea2459c70b latest_2013.01.13
+3e62060b14b9afc46f8e0ec02e1a4500d77db9e1 latest_2013.02.08
+425009b3ff4d8b67d2812253b221f3c4f4a8d1e3 latest_2013.04.01
+9713d86392ef985ffcdc39ff0c8ddf51a1f9ce47 latest_2013.06.03
+9ed84cd208e07e8985ec917cb025fcbbb09edcfb latest_2013.08.12
+81fbe25bd02edcd53065e8e4476dd1dfb5a72cf2 latest_2013.11.04

lib/galaxy/util/__init__.py

 
 
 def object_to_string( obj ):
-    return binascii.hexlify( pickle.dumps( obj, 2 ) )
+    return binascii.hexlify( obj )
 
 def string_to_object( s ):
-    return pickle.loads( binascii.unhexlify( s ) )
+    return binascii.unhexlify( s )
 
 def get_ucsc_by_build(build):
     sites = []

lib/galaxy/webapps/galaxy/controllers/ucsc_proxy.py

 from galaxy.web.base.controller import *
 
 import sys
+import json
 from galaxy import web, util
 
 import re, urllib, logging
         try:
             store = params.get("__GALAXY__", None)
             if store:
-                store = util.string_to_object(store)
+                store = json.loads(util.string_to_object(store))
             else:
                 store = {}
             UCSC_URL = 'UCSC_URL'
 
                 # Serialize store into a form element
                 store_text = "<INPUT TYPE=\"HIDDEN\" NAME=\"__GALAXY__\" ID=\"__GALAXY__\" VALUE=\"" \
-                             + util.object_to_string(store) + "\" \>"
+                             + json.dumps(util.object_to_string(store)) + "\" \>"
 
                 # Remove text regions that should not be exposed
                 for key,value in altered_regions.items():