Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#21002 closed Cleanup/optimization (fixed)

Document JSON session serialization requires string keys

Reported by: jeroen.pulles@… Owned by: Tim Graham
Component: Documentation Version: 1.6-beta-1
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Just updated my django 1.6 beta in project; Effectively moved from the pickle session serializer to json serializer without knowing (I only read about this change *after* I got errors.). Suddenly things break. Apparently my old session bytes are decoded, via something JSON-ish.

A dictionary like:

{1: 2}

becomes:

{u"1": 2}

breaking:

mydict[1]
>>> KeyError

I prefer an error message where "the json decoder" complains that it can't decode pickle data. So that I have a chance of "migrating" the session data , clearing all the sessions, or deciding to change the session serializer setting. Now I have no way of knowing what may happen with my existing sessions.

I don't understand the session docs on "an attacker knowing the SECRET_KEY"; As in, an attacker can brute force guess/determine the secret key? Or did this attacker read the config file with the secret key... along with the database password etcetera. As a result I am not sure whether I should switch serializers or make my session data JSON-proof.

Attachments (1)

21002.diff (3.3 KB ) - added by Tim Graham 11 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 by Tim Graham, 11 years ago

Component: contrib.sessionsDocumentation
Owner: changed from nobody to Tim Graham
Status: newassigned
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

Thanks for the feedback. This isn't a consequence of switching from JSON to pickle (as noted in the release notes "If you upgrade and switch from pickle to JSON, sessions created before the upgrade will be lost."), but rather a limitation of the JSON serializer -- keys are always serialized as strings in JSON. I believe we should handle this by documenting the caveat that you shouldn't use integer keys (or other types) when using JSON serialization.

I will clarify the docs regarding your question about SECRET_KEY. There's no inherent vulnerability in Django that would cause it to leak.

by Tim Graham, 11 years ago

Attachment: 21002.diff added

comment:2 by Tim Graham, 11 years ago

Has patch: set

I've added a patch. If you could provide feedback that would be great --thanks again!

comment:3 by jeroen.pulles@…, 11 years ago

A yes, my bad, sorry; I thought that my current (pickled) session was mangled; Instead, stuff only broke after the inevitable login when changing serializers.

The example with the zero as key to session might be a bit far fetched. In my use case I have a bunch of database id's as key to some cached data. On the other hand it's nice and short. I'm fine with it.

Thanks,
jeroen

comment:4 by Tim Graham, 11 years ago

Summary: Sessions: The switch from pickle to json silently mangles my session dataDocument JSON session serialization requires string keys
Triage Stage: AcceptedReady for checkin

comment:5 by Tim Graham <timograham@…>, 11 years ago

Resolution: fixed
Status: assignedclosed

In 3baf1d10429ae4ab503e0b96daeb88cfb860e54c:

Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

comment:6 by Tim Graham <timograham@…>, 11 years ago

In c0fb6bdde3ffcfc4108d865cdc3f34a7175e5907:

[1.6.x] Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

Backport of 3baf1d1042 from master

comment:7 by Tim Graham <timograham@…>, 11 years ago

In bc78ffa270cd6b2607749c0ed2b3974b98eef0f4:

[1.5.x] Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

Backport of 3baf1d1042 from master.

Note: See TracTickets for help on using tickets.
Back to Top