diff options
| author | Adam Johnson <me@adamj.eu> | 2020-01-30 09:28:32 +0000 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-01-13 13:50:20 +0100 |
| commit | 45a42aabfa1a86d1806bec93b31ef6ed7ccd51a7 (patch) | |
| tree | 06aa1a1d8f51da669a248d323ea3ef25e31507d1 /docs | |
| parent | c920387faba8da2f65fca49d191b6a93a9becdba (diff) | |
Fixed #29708 -- Deprecated PickleSerializer.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/deprecation.txt | 2 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 7 | ||||
| -rw-r--r-- | docs/releases/4.1.txt | 3 | ||||
| -rw-r--r-- | docs/topics/http/sessions.txt | 27 |
4 files changed, 21 insertions, 18 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index 4ab7a4135d..23fa942ef9 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -79,6 +79,8 @@ details on these changes. ``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` will be removed. +* ``django.contrib.sessions.serializers.PickleSerializer`` will be removed. + .. _deprecation-removed-in-4.1: 4.1 diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6c3d7530a1..e65f92b4ff 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -3384,14 +3384,11 @@ sessions won't be created, even if this setting is active. Default: ``'django.contrib.sessions.serializers.JSONSerializer'`` Full import path of a serializer class to use for serializing session data. -Included serializers are: +Included serializer is: -* ``'django.contrib.sessions.serializers.PickleSerializer'`` * ``'django.contrib.sessions.serializers.JSONSerializer'`` -See :ref:`session_serialization` for details, including a warning regarding -possible remote code execution when using -:class:`~django.contrib.sessions.serializers.PickleSerializer`. +See :ref:`session_serialization` for details. Sites ===== diff --git a/docs/releases/4.1.txt b/docs/releases/4.1.txt index 3b36e7ea54..32e816b940 100644 --- a/docs/releases/4.1.txt +++ b/docs/releases/4.1.txt @@ -403,6 +403,9 @@ Miscellaneous * The ``exc_info`` argument of the undocumented ``django.utils.log.log_response()`` function is replaced by ``exception``. +* ``django.contrib.sessions.serializers.PickleSerializer`` is deprecated due to + the risk of remote code execution. + Features removed in 4.1 ======================= diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index ce92af7b71..20502208a8 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -124,7 +124,7 @@ and the :setting:`SECRET_KEY` setting. .. warning:: **If the SECRET_KEY is not kept secret and you are using the** - :class:`~django.contrib.sessions.serializers.PickleSerializer`, **this can + ``django.contrib.sessions.serializers.PickleSerializer``, **this can lead to arbitrary remote code execution.** An attacker in possession of the :setting:`SECRET_KEY` can not only @@ -362,19 +362,23 @@ Bundled serializers remote code execution vulnerability if :setting:`SECRET_KEY` becomes known by an attacker. + .. deprecated:: 4.1 + + Due to the risk of remote code execution, this serializer is deprecated + and will be removed in Django 5.0. + .. _custom-serializers: Write your own serializer ~~~~~~~~~~~~~~~~~~~~~~~~~ -Note that unlike :class:`~django.contrib.sessions.serializers.PickleSerializer`, -the :class:`~django.contrib.sessions.serializers.JSONSerializer` cannot handle -arbitrary Python data types. As is often the case, there is a trade-off between -convenience and security. If you wish to store more advanced data types -including ``datetime`` and ``Decimal`` in JSON backed sessions, you will need -to write a custom serializer (or convert such values to a JSON serializable -object before storing them in ``request.session``). While serializing these -values is often straightforward +Note that the :class:`~django.contrib.sessions.serializers.JSONSerializer` +cannot handle arbitrary Python data types. As is often the case, there is a +trade-off between convenience and security. If you wish to store more advanced +data types including ``datetime`` and ``Decimal`` in JSON backed sessions, you +will need to write a custom serializer (or convert such values to a JSON +serializable object before storing them in ``request.session``). While +serializing these values is often straightforward (:class:`~django.core.serializers.json.DjangoJSONEncoder` may be helpful), writing a decoder that can reliably get back the same thing that you put in is more fragile. For example, you run the risk of returning a ``datetime`` that @@ -664,10 +668,7 @@ Technical details ================= * The session dictionary accepts any :mod:`json` serializable value when using - :class:`~django.contrib.sessions.serializers.JSONSerializer` or any - picklable Python object when using - :class:`~django.contrib.sessions.serializers.PickleSerializer`. See the - :mod:`pickle` module for more information. + :class:`~django.contrib.sessions.serializers.JSONSerializer`. * Session data is stored in a database table named ``django_session`` . |
