#29708 closed Cleanup/optimization (fixed)
Deprecate PickleSerializer and move it out of core
Reported by: | Alex Gaynor | Owned by: | Adam Johnson |
---|---|---|---|
Component: | contrib.sessions | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Adam Johnson | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Pickle serializer has long been known to be dangerous. This is mitigated by requiring MAC on pickle in cookies, but nevertheless, RCEs continue to happen: https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/
To further discourage it's use, we should consider deprecating PickleSerializer and moving it into a third party package.
Change History (8)
comment:1 by , 6 years ago
Component: | Uncategorized → contrib.sessions |
---|---|
Triage Stage: | Unreviewed → Someday/Maybe |
Type: | Uncategorized → Cleanup/optimization |
comment:2 by , 6 years ago
Cc: | added |
---|
comment:3 by , 5 years ago
Has patch: | set |
---|---|
Owner: | changed from | to
Patch needs improvement: | set |
Status: | new → assigned |
Triage Stage: | Someday/Maybe → Accepted |
Version: | 2.1 → master |
I've solved pickle problems for a couple clients so I thought it's worth picking this up.
comment:4 by , 3 years ago
Patch needs improvement: | unset |
---|---|
Triage Stage: | Accepted → Ready for checkin |
Note:
See TracTickets
for help on using tickets.
django-developers thread