[Django] #29708: Deprecate PickleSerializer and move it out of core
Django
-----------------------------------------+------------------------
Reporter: Alex Gaynor | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Pickle serializer has long been known to be dangerous. This is mitigated
by requiring MAC on pickle in cookies, but nevertheless, RCEs continue to
happen: https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a
-facebook-server/
To further discourage it's use, we should consider deprecating
PickleSerializer and moving it into a third party package.
--
Ticket URL: <https://code.djangoproject.com/ticket/29708>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Alex Gaynor | Owner: nobody
Cleanup/optimization |
Component: contrib.sessions | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* component: Uncategorized => contrib.sessions
* type: Uncategorized => Cleanup/optimization
* stage: Unreviewed => Someday/Maybe
Comment:
[https://groups.google.com/d/topic/django-
developers/FR0Eu9QgynY/discussion django-developers thread]
--
Ticket URL: <https://code.djangoproject.com/ticket/29708#comment:1>
Django
Reporter: Alex Gaynor | Owner: nobody
Cleanup/optimization |
Component: contrib.sessions | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Adam (Chainz) Johnson):
* cc: Adam (Chainz) Johnson (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/29708#comment:2>
Django
Reporter: Alex Gaynor | Owner: Adam
Type: | (Chainz) Johnson
Cleanup/optimization | Status: assigned
Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Adam (Chainz) Johnson):
* status: new => assigned
* needs_better_patch: 0 => 1
* version: 2.1 => master
* owner: nobody => Adam (Chainz) Johnson
* has_patch: 0 => 1
* stage: Someday/Maybe => Accepted
Comment:
I've solved pickle problems for a couple clients so I thought it's worth
picking this up.
--
Ticket URL: <https://code.djangoproject.com/ticket/29708#comment:3>
Django
Reporter: Alex Gaynor | Owner: Adam
Cleanup/optimization | Status: assigned
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* needs_better_patch: 1 => 0
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/29708#comment:4>
Django
Reporter: Alex Gaynor | Owner: Adam
Type: | Johnson
Cleanup/optimization | Status: assigned
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"436862787cbdbd68b0ba20ed8c23b295e3679df3" 43686278]:
{{{
#!CommitTicketReference repository=""
revision="436862787cbdbd68b0ba20ed8c23b295e3679df3"
Refs #29708 -- Made SessionBase store expiry as string.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29708#comment:6>
Django
Reporter: Alex Gaynor | Owner: Adam
Type: | Johnson
Cleanup/optimization | Status: assigned
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"c6cb5a0277fce1b87a4b417002289c31f0ee44bc" c6cb5a02]:
{{{
#!CommitTicketReference repository=""
revision="c6cb5a0277fce1b87a4b417002289c31f0ee44bc"
Refs #29708 -- Stopped inheriting from PickleSerializer by
RedisSerializer.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29708#comment:5>
Django
Reporter: Alex Gaynor | Owner: Adam
Type: | Johnson
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"45a42aabfa1a86d1806bec93b31ef6ed7ccd51a7" 45a42aa]:
{{{
#!CommitTicketReference repository=""
revision="45a42aabfa1a86d1806bec93b31ef6ed7ccd51a7"
Fixed #29708 -- Deprecated PickleSerializer.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29708#comment:7>
Django
Reporter: Alex Gaynor | Owner: Adam
Type: | Johnson
Cleanup/optimization | Status: closed
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"b119f4329c2a4878f1c72f4d25d193d080792f62" b119f43]:
{{{
#!CommitTicketReference repository=""
revision="b119f4329c2a4878f1c72f4d25d193d080792f62"
Refs #29708 -- Removed PickleSerializer per deprecation timeline.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29708#comment:8>