Commits

Nate Coraor  committed 9661b9d Merge

Apply 2014.07.30 security fix to release_2014.04.14

  • Participants
  • Parent commits ca297d9, 50753c5
  • Branches stable

Comments (0)

Files changed (3)

 5e605ed6069fe4c5ca9875e95e91b2713499e8ca release_2014.02.10
 9e53251b0b7e93b9563008a2b112f2e815a04bbc release_2014.04.14
 68a8b0397947c732b28207d465d3f3c4e2a7a8a0 latest_2014.04.14
+6b0bd93038a843b1585155f0d63f0eea2459c70b latest_2013.01.13
+3e62060b14b9afc46f8e0ec02e1a4500d77db9e1 latest_2013.02.08
+425009b3ff4d8b67d2812253b221f3c4f4a8d1e3 latest_2013.04.01
+9713d86392ef985ffcdc39ff0c8ddf51a1f9ce47 latest_2013.06.03
+9ed84cd208e07e8985ec917cb025fcbbb09edcfb latest_2013.08.12
+81fbe25bd02edcd53065e8e4476dd1dfb5a72cf2 latest_2013.11.04
+2a756ca2cb1826db7796018e77d12e2dd7b67603 latest_2014.02.10

File lib/galaxy/util/__init__.py

 
 
 def object_to_string( obj ):
-    return binascii.hexlify( pickle.dumps( obj, 2 ) )
+    return binascii.hexlify( obj )
 
 def string_to_object( s ):
-    return pickle.loads( binascii.unhexlify( s ) )
+    return binascii.unhexlify( s )
 
 def compare_urls( url1, url2, compare_scheme=True, compare_hostname=True, compare_path=True ):
     url1 = urlparse( url1 )

File lib/galaxy/webapps/galaxy/controllers/ucsc_proxy.py

 from galaxy.web.base.controller import *
 
 import sys
+import json
 from galaxy import web, util
 
 import re, urllib, logging
         try:
             store = params.get("__GALAXY__", None)
             if store:
-                store = util.string_to_object(store)
+                store = json.loads(util.string_to_object(store))
             else:
                 store = {}
             UCSC_URL = 'UCSC_URL'
 
                 # Serialize store into a form element
                 store_text = "<INPUT TYPE=\"HIDDEN\" NAME=\"__GALAXY__\" ID=\"__GALAXY__\" VALUE=\"" \
-                             + util.object_to_string(store) + "\" \>"
+                             + json.dumps(util.object_to_string(store)) + "\" \>"
 
                 # Remove text regions that should not be exposed
                 for key,value in altered_regions.items():