Code

Opened 8 months ago

Closed 8 months ago

Last modified 7 months ago

#21002 closed Cleanup/optimization (fixed)

Document JSON session serialization requires string keys

Reported by: jeroen.pulles@… Owned by: timo
Component: Documentation Version: 1.6-beta-1
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Just updated my django 1.6 beta in project; Effectively moved from the pickle session serializer to json serializer without knowing (I only read about this change *after* I got errors.). Suddenly things break. Apparently my old session bytes are decoded, via something JSON-ish.

A dictionary like:

{1: 2}

becomes:

{u"1": 2}

breaking:

mydict[1]
>>> KeyError

I prefer an error message where "the json decoder" complains that it can't decode pickle data. So that I have a chance of "migrating" the session data , clearing all the sessions, or deciding to change the session serializer setting. Now I have no way of knowing what may happen with my existing sessions.

I don't understand the session docs on "an attacker knowing the SECRET_KEY"; As in, an attacker can brute force guess/determine the secret key? Or did this attacker read the config file with the secret key... along with the database password etcetera. As a result I am not sure whether I should switch serializers or make my session data JSON-proof.

Attachments (1)

21002.diff (3.3 KB) - added by timo 8 months ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 8 months ago by timo

  • Component changed from contrib.sessions to Documentation
  • Needs documentation unset
  • Needs tests unset
  • Owner changed from nobody to timo
  • Patch needs improvement unset
  • Status changed from new to assigned
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Uncategorized to Cleanup/optimization

Thanks for the feedback. This isn't a consequence of switching from JSON to pickle (as noted in the release notes "If you upgrade and switch from pickle to JSON, sessions created before the upgrade will be lost."), but rather a limitation of the JSON serializer -- keys are always serialized as strings in JSON. I believe we should handle this by documenting the caveat that you shouldn't use integer keys (or other types) when using JSON serialization.

I will clarify the docs regarding your question about SECRET_KEY. There's no inherent vulnerability in Django that would cause it to leak.

Changed 8 months ago by timo

comment:2 Changed 8 months ago by timo

  • Has patch set

I've added a patch. If you could provide feedback that would be great --thanks again!

comment:3 Changed 8 months ago by jeroen.pulles@…

A yes, my bad, sorry; I thought that my current (pickled) session was mangled; Instead, stuff only broke after the inevitable login when changing serializers.

The example with the zero as key to session might be a bit far fetched. In my use case I have a bunch of database id's as key to some cached data. On the other hand it's nice and short. I'm fine with it.

Thanks,
jeroen

comment:4 Changed 8 months ago by timo

  • Summary changed from Sessions: The switch from pickle to json silently mangles my session data to Document JSON session serialization requires string keys
  • Triage Stage changed from Accepted to Ready for checkin

comment:5 Changed 8 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In 3baf1d10429ae4ab503e0b96daeb88cfb860e54c:

Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

comment:6 Changed 8 months ago by Tim Graham <timograham@…>

In c0fb6bdde3ffcfc4108d865cdc3f34a7175e5907:

[1.6.x] Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

Backport of 3baf1d1042 from master

comment:7 Changed 7 months ago by Tim Graham <timograham@…>

In bc78ffa270cd6b2607749c0ed2b3974b98eef0f4:

[1.5.x] Fixed #21002 -- Documented JSON session serialization requires string keys

Thanks jeroen.pulles at redslider.net for the report.

Backport of 3baf1d1042 from master.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.