Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#21002 closed Cleanup/optimization (fixed)

Document JSON session serialization requires string keys

Reported by: jeroen.pulles@… Owned by: Tim Graham
Component: Documentation Version: 1.6-beta-1
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Just updated my django 1.6 beta in project; Effectively moved from the pickle session serializer to json serializer without knowing (I only read about this change *after* I got errors.). Suddenly things break. Apparently my old session bytes are decoded, via something JSON-ish.

A dictionary like:

{1: 2}

becomes:

{u"1": 2}

breaking:

mydict[1]
>>> KeyError

I prefer an error message where "the json decoder" complains that it can't decode pickle data. So that I have a chance of "migrating" the session data , clearing all the sessions, or deciding to change the session serializer setting. Now I have no way of knowing what may happen with my existing sessions.

I don't understand the session docs on "an attacker knowing the SECRET_KEY"; As in, an attacker can brute force guess/determine the secret key? Or did this attacker read the config file with the secret key... along with the database password etcetera. As a result I am not sure whether I should switch serializers or make my session data JSON-proof.

Attachments (1)

21002.diff (3.3 KB) - added by Tim Graham 3 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 3 years ago by Tim Graham

Component: contrib.sessionsDocumentation
Owner: changed from nobody to Tim Graham
Status: newassigned
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

Thanks for the feedback. This isn't a consequence of switching from JSON to pickle (as noted in the release notes "If you upgrade and switch from pickle to JSON, sessions created before the upgrade will be lost."), but rather a limitation of the JSON serializer -- keys are always serialized as strings in JSON. I believe we should handle this by documenting the caveat that you shouldn't use integer keys (or other types) when using JSON serialization.

I will clarify the docs regarding your question about SECRET_KEY. There's no inherent vulnerability in Django that would cause it to leak.

Changed 3 years ago by Tim Graham

Attachment: 21002.diff added

comment:2 Changed 3 years ago by Tim Graham

Has patch: set

I've added a patch. If you could provide feedback that would be great --thanks again!

comment:3 Changed 3 years ago by jeroen.pulles@…

A yes, my bad, sorry; I thought that my current (pickled) session was mangled; Instead, stuff only broke after the inevitable login when changing serializers.

The example with the zero as key to session might be a bit far fetched. In my use case I have a bunch of database id's as key to some cached data. On the other hand it's nice and short. I'm fine with it.

Thanks,
jeroen

comment:4 Changed 3 years ago by Tim Graham

Summary: Sessions: The switch from pickle to json silently mangles my session dataDocument JSON session serialization requires string keys
Triage Stage: AcceptedReady for checkin

comment:5 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 3baf1d10429ae4ab503e0b96daeb88cfb860e54c:

Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

comment:6 Changed 3 years ago by Tim Graham <timograham@…>

In c0fb6bdde3ffcfc4108d865cdc3f34a7175e5907:

[1.6.x] Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

Backport of 3baf1d1042 from master

comment:7 Changed 3 years ago by Tim Graham <timograham@…>

In bc78ffa270cd6b2607749c0ed2b3974b98eef0f4:

[1.5.x] Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

Backport of 3baf1d1042 from master.

Note: See TracTickets for help on using tickets.
Back to Top