summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorAdam Johnson <me@adamj.eu>2020-01-30 09:28:32 +0000
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2022-01-13 13:50:20 +0100
commit45a42aabfa1a86d1806bec93b31ef6ed7ccd51a7 (patch)
tree06aa1a1d8f51da669a248d323ea3ef25e31507d1 /docs
parentc920387faba8da2f65fca49d191b6a93a9becdba (diff)
Fixed #29708 -- Deprecated PickleSerializer.
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/deprecation.txt2
-rw-r--r--docs/ref/settings.txt7
-rw-r--r--docs/releases/4.1.txt3
-rw-r--r--docs/topics/http/sessions.txt27
4 files changed, 21 insertions, 18 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index 4ab7a4135d..23fa942ef9 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -79,6 +79,8 @@ details on these changes.
``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` will be
removed.
+* ``django.contrib.sessions.serializers.PickleSerializer`` will be removed.
+
.. _deprecation-removed-in-4.1:
4.1
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 6c3d7530a1..e65f92b4ff 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -3384,14 +3384,11 @@ sessions won't be created, even if this setting is active.
Default: ``'django.contrib.sessions.serializers.JSONSerializer'``
Full import path of a serializer class to use for serializing session data.
-Included serializers are:
+Included serializer is:
-* ``'django.contrib.sessions.serializers.PickleSerializer'``
* ``'django.contrib.sessions.serializers.JSONSerializer'``
-See :ref:`session_serialization` for details, including a warning regarding
-possible remote code execution when using
-:class:`~django.contrib.sessions.serializers.PickleSerializer`.
+See :ref:`session_serialization` for details.
Sites
=====
diff --git a/docs/releases/4.1.txt b/docs/releases/4.1.txt
index 3b36e7ea54..32e816b940 100644
--- a/docs/releases/4.1.txt
+++ b/docs/releases/4.1.txt
@@ -403,6 +403,9 @@ Miscellaneous
* The ``exc_info`` argument of the undocumented
``django.utils.log.log_response()`` function is replaced by ``exception``.
+* ``django.contrib.sessions.serializers.PickleSerializer`` is deprecated due to
+ the risk of remote code execution.
+
Features removed in 4.1
=======================
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index ce92af7b71..20502208a8 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -124,7 +124,7 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
**If the SECRET_KEY is not kept secret and you are using the**
- :class:`~django.contrib.sessions.serializers.PickleSerializer`, **this can
+ ``django.contrib.sessions.serializers.PickleSerializer``, **this can
lead to arbitrary remote code execution.**
An attacker in possession of the :setting:`SECRET_KEY` can not only
@@ -362,19 +362,23 @@ Bundled serializers
remote code execution vulnerability if :setting:`SECRET_KEY` becomes known
by an attacker.
+ .. deprecated:: 4.1
+
+ Due to the risk of remote code execution, this serializer is deprecated
+ and will be removed in Django 5.0.
+
.. _custom-serializers:
Write your own serializer
~~~~~~~~~~~~~~~~~~~~~~~~~
-Note that unlike :class:`~django.contrib.sessions.serializers.PickleSerializer`,
-the :class:`~django.contrib.sessions.serializers.JSONSerializer` cannot handle
-arbitrary Python data types. As is often the case, there is a trade-off between
-convenience and security. If you wish to store more advanced data types
-including ``datetime`` and ``Decimal`` in JSON backed sessions, you will need
-to write a custom serializer (or convert such values to a JSON serializable
-object before storing them in ``request.session``). While serializing these
-values is often straightforward
+Note that the :class:`~django.contrib.sessions.serializers.JSONSerializer`
+cannot handle arbitrary Python data types. As is often the case, there is a
+trade-off between convenience and security. If you wish to store more advanced
+data types including ``datetime`` and ``Decimal`` in JSON backed sessions, you
+will need to write a custom serializer (or convert such values to a JSON
+serializable object before storing them in ``request.session``). While
+serializing these values is often straightforward
(:class:`~django.core.serializers.json.DjangoJSONEncoder` may be helpful),
writing a decoder that can reliably get back the same thing that you put in is
more fragile. For example, you run the risk of returning a ``datetime`` that
@@ -664,10 +668,7 @@ Technical details
=================
* The session dictionary accepts any :mod:`json` serializable value when using
- :class:`~django.contrib.sessions.serializers.JSONSerializer` or any
- picklable Python object when using
- :class:`~django.contrib.sessions.serializers.PickleSerializer`. See the
- :mod:`pickle` module for more information.
+ :class:`~django.contrib.sessions.serializers.JSONSerializer`.
* Session data is stored in a database table named ``django_session`` .