mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-29 02:30:48 +00:00
Code Issues 32 Releases Wiki Activity

Removed historical note about session serialization.

Browse Source
This commit is contained in:
Tim Graham 2015-08-27 09:55:53 -04:00
parent e8cbc2b322
commit 956df84a61
1 changed files with 13 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
docs/topics/http/sessions.txt
View File

@ -319,28 +319,22 @@ You can edit it multiple times.
Session serialization Session serialization
--------------------- ---------------------
Before version 1.6, Django defaulted to using :mod:`pickle` to serialize By default, Django serializes session data using JSON. You can use the
session data before storing it in the backend. If you're using the :ref:`signed :setting:`SESSION_SERIALIZER` setting to customize the session serialization
cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is format. Even with the caveats described in :ref:`custom-serializers`, we highly
known by an attacker (there isn't an inherent vulnerability in Django that
would cause it to leak), the attacker could insert a string into their session
which, when unpickled, executes arbitrary code on the server. The technique for
doing so is simple and easily available on the internet. Although the cookie
session storage signs the cookie-stored data to prevent tampering, a
:setting:`SECRET_KEY` leak immediately escalates to a remote code execution
vulnerability.
This attack can be mitigated by serializing session data using JSON rather
than :mod:`pickle`. To facilitate this, Django 1.5.3 introduced a new setting,
:setting:`SESSION_SERIALIZER`, to customize the session serialization format.
For backwards compatibility, this setting defaults to
using :class:`django.contrib.sessions.serializers.PickleSerializer` in
Django 1.5.x, but, for security hardening, defaults to
:class:`django.contrib.sessions.serializers.JSONSerializer` in Django 1.6.
Even with the caveats described in :ref:`custom-serializers`, we highly
recommend sticking with JSON serialization *especially if you are using the recommend sticking with JSON serialization *especially if you are using the
cookie backend*. cookie backend*.
For example, here's an attack scenario if you use :mod:`pickle` to serialize
session data. If you're using the :ref:`signed cookie session backend
<cookie-session-backend>` and :setting:`SECRET_KEY` is known by an attacker
(there isn't an inherent vulnerability in Django that would cause it to leak),
the attacker could insert a string into their session which, when unpickled,
executes arbitrary code on the server. The technique for doing so is simple and
easily available on the internet. Although the cookie session storage signs the
cookie-stored data to prevent tampering, a :setting:`SECRET_KEY` leak
immediately escalates to a remote code execution vulnerability.
Bundled Serializers Bundled Serializers
^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^