Opened 2 years ago

Last modified 6 months ago

#29708 assigned Cleanup/optimization

Deprecate PickleSerializer and move it out of core

Reported by: Alex Gaynor Owned by: Adam (Chainz) Johnson
Component: contrib.sessions Version: master
Severity: Normal Keywords:
Cc: Adam (Chainz) Johnson Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

Pickle serializer has long been known to be dangerous. This is mitigated by requiring MAC on pickle in cookies, but nevertheless, RCEs continue to happen: https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/

To further discourage it's use, we should consider deprecating PickleSerializer and moving it into a third party package.

Change History (3)

comment:1 Changed 2 years ago by Tim Graham

Component: Uncategorizedcontrib.sessions
Triage Stage: UnreviewedSomeday/Maybe
Type: UncategorizedCleanup/optimization

comment:2 Changed 2 years ago by Adam (Chainz) Johnson

Cc: Adam (Chainz) Johnson added

comment:3 Changed 6 months ago by Adam (Chainz) Johnson

Has patch: set
Owner: changed from nobody to Adam (Chainz) Johnson
Patch needs improvement: set
Status: newassigned
Triage Stage: Someday/MaybeAccepted
Version: 2.1master

I've solved pickle problems for a couple clients so I thought it's worth picking this up.

Note: See TracTickets for help on using tickets.
Back to Top