Loading docs/topics/http/sessions.txt +13 −19 Original line number Diff line number Diff line Loading @@ -319,28 +319,22 @@ You can edit it multiple times. Session serialization --------------------- Before version 1.6, Django defaulted to using :mod:`pickle` to serialize session data before storing it in the backend. If you're using the :ref:`signed cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is known by an attacker (there isn't an inherent vulnerability in Django that would cause it to leak), the attacker could insert a string into their session which, when unpickled, executes arbitrary code on the server. The technique for doing so is simple and easily available on the internet. Although the cookie session storage signs the cookie-stored data to prevent tampering, a :setting:`SECRET_KEY` leak immediately escalates to a remote code execution vulnerability. This attack can be mitigated by serializing session data using JSON rather than :mod:`pickle`. To facilitate this, Django 1.5.3 introduced a new setting, :setting:`SESSION_SERIALIZER`, to customize the session serialization format. For backwards compatibility, this setting defaults to using :class:`django.contrib.sessions.serializers.PickleSerializer` in Django 1.5.x, but, for security hardening, defaults to :class:`django.contrib.sessions.serializers.JSONSerializer` in Django 1.6. Even with the caveats described in :ref:`custom-serializers`, we highly By default, Django serializes session data using JSON. You can use the :setting:`SESSION_SERIALIZER` setting to customize the session serialization format. Even with the caveats described in :ref:`custom-serializers`, we highly recommend sticking with JSON serialization *especially if you are using the cookie backend*. For example, here's an attack scenario if you use :mod:`pickle` to serialize session data. If you're using the :ref:`signed cookie session backend <cookie-session-backend>` and :setting:`SECRET_KEY` is known by an attacker (there isn't an inherent vulnerability in Django that would cause it to leak), the attacker could insert a string into their session which, when unpickled, executes arbitrary code on the server. The technique for doing so is simple and easily available on the internet. Although the cookie session storage signs the cookie-stored data to prevent tampering, a :setting:`SECRET_KEY` leak immediately escalates to a remote code execution vulnerability. Bundled Serializers ^^^^^^^^^^^^^^^^^^^ Loading Loading
docs/topics/http/sessions.txt +13 −19 Original line number Diff line number Diff line Loading @@ -319,28 +319,22 @@ You can edit it multiple times. Session serialization --------------------- Before version 1.6, Django defaulted to using :mod:`pickle` to serialize session data before storing it in the backend. If you're using the :ref:`signed cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is known by an attacker (there isn't an inherent vulnerability in Django that would cause it to leak), the attacker could insert a string into their session which, when unpickled, executes arbitrary code on the server. The technique for doing so is simple and easily available on the internet. Although the cookie session storage signs the cookie-stored data to prevent tampering, a :setting:`SECRET_KEY` leak immediately escalates to a remote code execution vulnerability. This attack can be mitigated by serializing session data using JSON rather than :mod:`pickle`. To facilitate this, Django 1.5.3 introduced a new setting, :setting:`SESSION_SERIALIZER`, to customize the session serialization format. For backwards compatibility, this setting defaults to using :class:`django.contrib.sessions.serializers.PickleSerializer` in Django 1.5.x, but, for security hardening, defaults to :class:`django.contrib.sessions.serializers.JSONSerializer` in Django 1.6. Even with the caveats described in :ref:`custom-serializers`, we highly By default, Django serializes session data using JSON. You can use the :setting:`SESSION_SERIALIZER` setting to customize the session serialization format. Even with the caveats described in :ref:`custom-serializers`, we highly recommend sticking with JSON serialization *especially if you are using the cookie backend*. For example, here's an attack scenario if you use :mod:`pickle` to serialize session data. If you're using the :ref:`signed cookie session backend <cookie-session-backend>` and :setting:`SECRET_KEY` is known by an attacker (there isn't an inherent vulnerability in Django that would cause it to leak), the attacker could insert a string into their session which, when unpickled, executes arbitrary code on the server. The technique for doing so is simple and easily available on the internet. Although the cookie session storage signs the cookie-stored data to prevent tampering, a :setting:`SECRET_KEY` leak immediately escalates to a remote code execution vulnerability. Bundled Serializers ^^^^^^^^^^^^^^^^^^^ Loading
