summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2013-09-03 07:48:03 -0400
committerTim Graham <timograham@gmail.com>2013-09-04 10:55:33 -0400
commitbc78ffa270cd6b2607749c0ed2b3974b98eef0f4 (patch)
tree96cee9bd6d2b60d57aa8ff1ad947b2503b937459
parentc9a021b04262abbf44ac57ed2ee5c6530a17f77e (diff)
[1.5.x] Fixed #21002 -- Documented JSON session serialization requires string keys
Thanks jeroen.pulles at redslider.net for the report. Backport of 3baf1d1042 from master.
-rw-r--r--docs/topics/http/sessions.txt20
1 files changed, 17 insertions, 3 deletions
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index d430a532df..039a7757d5 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -312,7 +312,8 @@ Session serialization
Before version 1.6, Django defaulted to using :mod:`pickle` to serialize
session data before storing it in the backend. If you're using the :ref:`signed
cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is
-known by an attacker, the attacker could insert a string into his session
+known by an attacker (there isn't an inherent vulnerability in Django that
+would cause it to leak), the attacker could insert a string into his session
which, when unpickled, executes arbitrary code on the server. The technique for
doing so is simple and easily available on the internet. Although the cookie
session storage signs the cookie-stored data to prevent tampering, a
@@ -337,8 +338,21 @@ Bundled Serializers
.. class:: serializers.JSONSerializer
A wrapper around the JSON serializer from :mod:`django.core.signing`. Can
- only serialize basic data types. See the :ref:`custom-serializers` section
- for more details.
+ only serialize basic data types.
+
+ In addition, as JSON supports only string keys, note that using non-string
+ keys in ``request.session`` won't work as expected::
+
+ >>> # initial assignment
+ >>> request.session[0] = 'bar'
+ >>> # subsequent requests following serialization & deserialization
+ >>> # of session data
+ >>> request.session[0] # KeyError
+ >>> request.session['0']
+ 'bar'
+
+ See the :ref:`custom-serializers` section for more details on limitations
+ of JSON serialization.
.. class:: serializers.PickleSerializer