Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#20444 closed Cleanup/optimization (fixed)

Cookie-based sessions does not include a remote code execution-warning

Reported by: Sasha Romijn Owned by: nobody
Component: contrib.sessions Version: dev
Severity: Normal Keywords: dceu13
Cc: eromijn@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

As cookie-based sessions use pickle, an attacker which is able to generate an arbitrary valid session cookie, is able to remotely execute arbitrary code. This, this means having the secret key of any website that has cookie-based sessions enabled means anyone can execute arbitrary code.

This is not a new fact, but I think it deserves a bold warning with the cookie-based sessions documentation, as it is such a more extreme case than other possible risks of leaking the secret key.

Change History (5)

comment:1 by Sasha Romijn, 11 years ago

Has patch: set

comment:2 by ludw, 11 years ago

Triage Stage: UnreviewedAccepted

comment:3 by EmilStenstrom, 11 years ago

Triage Stage: AcceptedReady for checkin

I agree that having a warning in the documentation is a good idea. SECRET_KEY should generally be kept secret no matter if you use cookie based sessions or not, but since there's possible remote code execution issues it's worth repeating IMO.

With the little documentation experience I have the patch looks good to me.

comment:4 by Aymeric Augustin <aymeric.augustin@…>, 11 years ago

Resolution: fixed
Status: newclosed

In d5ce2ff5e485bf94fcade340bc803ba4671bd95a:

Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning

comment:5 by Tim Graham <timograham@…>, 11 years ago

In 2b750fff5653781f07e65a54a99e7da66361ec9e:

[1.5.x] Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning

Backport of d5ce2ff5e4 from master

Note: See TracTickets for help on using tickets.
Back to Top