Opened 22 months ago

Closed 22 months ago

Last modified 19 months ago

#20444 closed Cleanup/optimization (fixed)

Cookie-based sessions does not include a remote code execution-warning

Reported by: erikr Owned by: nobody
Component: contrib.sessions Version: master
Severity: Normal Keywords: dceu13
Cc: eromijn@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

As cookie-based sessions use pickle, an attacker which is able to generate an arbitrary valid session cookie, is able to remotely execute arbitrary code. This, this means having the secret key of any website that has cookie-based sessions enabled means anyone can execute arbitrary code.

This is not a new fact, but I think it deserves a bold warning with the cookie-based sessions documentation, as it is such a more extreme case than other possible risks of leaking the secret key.

Change History (5)

comment:1 Changed 22 months ago by erikr

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 22 months ago by ludw

  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 22 months ago by EmilStenstrom

  • Triage Stage changed from Accepted to Ready for checkin

I agree that having a warning in the documentation is a good idea. SECRET_KEY should generally be kept secret no matter if you use cookie based sessions or not, but since there's possible remote code execution issues it's worth repeating IMO.

With the little documentation experience I have the patch looks good to me.

comment:4 Changed 22 months ago by Aymeric Augustin <aymeric.augustin@…>

  • Resolution set to fixed
  • Status changed from new to closed

In d5ce2ff5e485bf94fcade340bc803ba4671bd95a:

Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning

comment:5 Changed 19 months ago by Tim Graham <timograham@…>

In 2b750fff5653781f07e65a54a99e7da66361ec9e:

[1.5.x] Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning

Backport of d5ce2ff5e4 from master

Note: See TracTickets for help on using tickets.
Back to Top