#20444 closed Cleanup/optimization (fixed)
Cookie-based sessions does not include a remote code execution-warning
| Reported by: | Sasha Romijn | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | dev |
| Severity: | Normal | Keywords: | dceu13 |
| Cc: | eromijn@… | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
As cookie-based sessions use pickle, an attacker which is able to generate an arbitrary valid session cookie, is able to remotely execute arbitrary code. This, this means having the secret key of any website that has cookie-based sessions enabled means anyone can execute arbitrary code.
This is not a new fact, but I think it deserves a bold warning with the cookie-based sessions documentation, as it is such a more extreme case than other possible risks of leaking the secret key.
Change History (5)
comment:1 by , 11 years ago
| Has patch: | set |
|---|
comment:2 by , 11 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 11 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
I agree that having a warning in the documentation is a good idea. SECRET_KEY should generally be kept secret no matter if you use cookie based sessions or not, but since there's possible remote code execution issues it's worth repeating IMO.
With the little documentation experience I have the patch looks good to me.
comment:4 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Pull request in https://github.com/django/django/pull/1119