#29708 closed Cleanup/optimization (fixed)
Deprecate PickleSerializer and move it out of core
| Reported by: | Alex Gaynor | Owned by: | Adam Johnson |
|---|---|---|---|
| Component: | contrib.sessions | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Adam Johnson | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Pickle serializer has long been known to be dangerous. This is mitigated by requiring MAC on pickle in cookies, but nevertheless, RCEs continue to happen: https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/
To further discourage it's use, we should consider deprecating PickleSerializer and moving it into a third party package.
Change History (8)
comment:1 by , 6 years ago
| Component: | Uncategorized → contrib.sessions |
|---|---|
| Triage Stage: | Unreviewed → Someday/Maybe |
| Type: | Uncategorized → Cleanup/optimization |
comment:2 by , 6 years ago
| Cc: | added |
|---|
comment:3 by , 5 years ago
| Has patch: | set |
|---|---|
| Owner: | changed from to |
| Patch needs improvement: | set |
| Status: | new → assigned |
| Triage Stage: | Someday/Maybe → Accepted |
| Version: | 2.1 → master |
I've solved pickle problems for a couple clients so I thought it's worth picking this up.
comment:4 by , 3 years ago
| Patch needs improvement: | unset |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
Note:
See TracTickets
for help on using tickets.
django-developers thread