Deprecate PickleSerializer for session serialization?
150 views
Skip to first unread message
Tim Graham
Aug 25, 2018, 9:12:50 AM8/25/18
to Django developers (Contributions to Django itself)
Alex proposed:
---
Pickle serializer has long been known to be dangerous. This is mitigated by requiring MAC on pickle in cookies, but nevertheless, RCEs continue to happen: https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/
To further discourage it's use, we should consider deprecating PickleSerializer and moving it into a third party package.
---
I don't see much advantage to a separate package for 10 lines of code:
import pickle
class PickleSerializer:
"""
Simple wrapper around pickle to be used in signing.dumps and
signing.loads.
"""
protocol = pickle.HIGHEST_PROTOCOL
def dumps(self, obj):
return pickle.dumps(obj, self.protocol)
def loads(self, data):
return pickle.loads(data)
"""
Simple wrapper around pickle to be used in signing.dumps and
signing.loads.
"""
protocol = pickle.HIGHEST_PROTOCOL
def dumps(self, obj):
return pickle.dumps(obj, self.protocol)
def loads(self, data):
return pickle.loads(data)
I'm not sure that removing it from Django would improve security (since Django 1.6, JSONSerializer is the default session serializer). Thoughts?
Michael Manfre
Aug 25, 2018, 11:56:22 AM8/25/18
to django-d...@googlegroups.com
I have no strong opinion about keeping it verse moving it. The docs already provide a sufficient warning about the risks of using it. Anyone who uses it after reading the warning would likely still use it if it were in another package. A separate package is another "Are you sure?" step that they would likely ignore.
Regards,
Michael Manfre
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/37fe5ab5-6d30-45bd-8bdd-a11f0170209c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Shai Berger
Aug 25, 2018, 5:09:47 PM8/25/18
to django-d...@googlegroups.com
On Sat, 25 Aug 2018 11:56:02 -0400
Michael Manfre <mma...@gmail.com> wrote:
> Anyone who uses it after reading the warning would likely still use
> it if it were in another package. A separate package is another "Are
> you sure?" step that they would likely ignore.
I disagree -- a separate package means that the idea of pickling the
Michael Manfre <mma...@gmail.com> wrote:
> Anyone who uses it after reading the warning would likely still use
> it if it were in another package. A separate package is another "Are
> you sure?" step that they would likely ignore.
session object into a cookie is removed from the Django documentation,
making people much less likely to stumble upon it and much more likely
to use safer serializations in relevant use-cases. It's not just an
"Are you sure?" -- they'd have to actively look for it.
+1 for footgun removal,
Shai.
James Bennett
Aug 26, 2018, 7:36:41 AM8/26/18
to django-d...@googlegroups.com
The only use case for pickle that I'm aware of is "I need a way to add a security hole to my site". So let's just get rid of it.
Adam Johnson
Aug 26, 2018, 9:57:20 AM8/26/18
to django-d...@googlegroups.com
+1 to deprecate. Maybe we deprecate and remove it, and some user makes a third party package if they so wish?
On Sun, 26 Aug 2018 at 13:36, James Bennett <ubern...@gmail.com> wrote:
The only use case for pickle that I'm aware of is "I need a way to add a security hole to my site". So let's just get rid of it.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg_0PragWeEqX4fZhMLi0nr_zC-Dn_rRG-7k%3D17A%3DNgC1g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Adam
Florian Apolloner
Aug 26, 2018, 1:10:10 PM8/26/18
to Django developers (Contributions to Django itself)
Yes, lets deprecate and remove it. No 3rd party package from Django itself, if someone wants it, they should write one.
Adam Johnson
Aug 26, 2018, 2:45:23 PM8/26/18
to django-d...@googlegroups.com
🔥🔥🔥
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/3d3e5245-ca1f-4985-9437-853ea64135d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Adam
Claude Paroz
Aug 26, 2018, 3:25:09 PM8/26/18
to Django developers (Contributions to Django itself)
Le dimanche 26 août 2018 13:36:41 UTC+2, James Bennett a écrit :
The only use case for pickle that I'm aware of is "I need a way to add a security hole to my site". So let's just get rid of it.
Out of memory, I think they were cases when some types were not JSON-serializable.
Claude
Reply all
Reply to author
Forward
0 new messages