Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#20444 closed Cleanup/optimization (fixed)

Cookie-based sessions does not include a remote code execution-warning

Reported by: Erik Romijn Owned by: nobody
Component: contrib.sessions Version: master
Severity: Normal Keywords: dceu13
Cc: eromijn@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

As cookie-based sessions use pickle, an attacker which is able to generate an arbitrary valid session cookie, is able to remotely execute arbitrary code. This, this means having the secret key of any website that has cookie-based sessions enabled means anyone can execute arbitrary code.

This is not a new fact, but I think it deserves a bold warning with the cookie-based sessions documentation, as it is such a more extreme case than other possible risks of leaking the secret key.

Change History (5)

comment:1 Changed 4 years ago by Erik Romijn

Has patch: set

comment:2 Changed 4 years ago by ludw

Triage Stage: UnreviewedAccepted

comment:3 Changed 4 years ago by EmilStenstrom

Triage Stage: AcceptedReady for checkin

I agree that having a warning in the documentation is a good idea. SECRET_KEY should generally be kept secret no matter if you use cookie based sessions or not, but since there's possible remote code execution issues it's worth repeating IMO.

With the little documentation experience I have the patch looks good to me.

comment:4 Changed 4 years ago by Aymeric Augustin <aymeric.augustin@…>

Resolution: fixed
Status: newclosed

In d5ce2ff5e485bf94fcade340bc803ba4671bd95a:

Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning

comment:5 Changed 3 years ago by Tim Graham <timograham@…>

In 2b750fff5653781f07e65a54a99e7da66361ec9e:

[1.5.x] Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning

Backport of d5ce2ff5e4 from master

Note: See TracTickets for help on using tickets.
Back to Top