Re: [Django] #35905: Sign (or encrypt) pickle cache traffic to protect against remote code execution through cache takeover (was: Please start signing (or encrypting) pickle cache traffic to protect against remote code execution through cache takeover, by default)
4 views
Skip to first unread message
Django
Nov 12, 2024, 9:31:02 AM11/12/24
to django-...@googlegroups.com
#35905: Sign (or encrypt) pickle cache traffic to protect against remote code
execution through cache takeover
-------------------------------------+-------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: New feature | Status: closed
Component: Core (Cache system) | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: cache security | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):
* resolution: => wontfix
* status: new => closed
* summary:
Please start signing (or encrypting) pickle cache traffic to protect
against remote code execution through cache takeover, by default
=>
Sign (or encrypt) pickle cache traffic to protect against remote code
execution through cache takeover
* type: Bug => New feature
Comment:
Hello again Sebastian,
I think the historic consensus has been that if the machine your cache
runs on is compromised, signing/encrypting the data will not help much,
and since a cache is supposed to be very fast, the performance overhead
isn't acceptable.
To propose a new feature like this, the proper channel is the
[https://forum.djangoproject.com/c/internals/5 Django Internals section of
Django forum] (which reaches a wider audience than.this ticket tracker).
If there is consensus to make a change, we'll reopen and accept this
ticket. Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/35905#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
execution through cache takeover
-------------------------------------+-------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: New feature | Status: closed
Component: Core (Cache system) | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: cache security | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):
* resolution: => wontfix
* status: new => closed
* summary:
Please start signing (or encrypting) pickle cache traffic to protect
against remote code execution through cache takeover, by default
=>
Sign (or encrypt) pickle cache traffic to protect against remote code
execution through cache takeover
* type: Bug => New feature
Comment:
Hello again Sebastian,
I think the historic consensus has been that if the machine your cache
runs on is compromised, signing/encrypting the data will not help much,
and since a cache is supposed to be very fast, the performance overhead
isn't acceptable.
To propose a new feature like this, the proper channel is the
[https://forum.djangoproject.com/c/internals/5 Django Internals section of
Django forum] (which reaches a wider audience than.this ticket tracker).
If there is consensus to make a change, we'll reopen and accept this
ticket. Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/35905#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages