summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2023-01-12 14:43:48 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2023-01-17 11:49:15 +0100
commitb119f4329c2a4878f1c72f4d25d193d080792f62 (patch)
tree9ce167ad86124abbcd328b73760eb6e6dc288b63 /docs
parent23c87874397a22ca80c0d6fa8648fb58ee3ab28a (diff)
Refs #29708 -- Removed PickleSerializer per deprecation timeline.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/5.0.txt2
-rw-r--r--docs/topics/http/sessions.txt25
2 files changed, 2 insertions, 25 deletions
diff --git a/docs/releases/5.0.txt b/docs/releases/5.0.txt
index fb052b77f1..d39b8d314a 100644
--- a/docs/releases/5.0.txt
+++ b/docs/releases/5.0.txt
@@ -317,3 +317,5 @@ to remove usage of these features.
* The undocumented ability to pass ``errors=None`` to
``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` is removed.
+
+* ``django.contrib.sessions.serializers.PickleSerializer`` is removed.
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index 4dc6f6af35..fd2f106739 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -122,20 +122,6 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
- **If the** ``SECRET_KEY`` **or** ``SECRET_KEY_FALLBACKS`` **are not kept
- secret and you are using the**
- ``django.contrib.sessions.serializers.PickleSerializer``, **this can lead
- to arbitrary remote code execution.**
-
- An attacker in possession of the :setting:`SECRET_KEY` or
- :setting:`SECRET_KEY_FALLBACKS` can not only generate falsified session
- data, which your site will trust, but also remotely execute arbitrary code,
- as the data is serialized using pickle.
-
- If you use cookie-based sessions, pay extra care that your secret key is
- always kept completely secret, for any system which might be remotely
- accessible.
-
**The session data is signed but not encrypted**
When using the cookies backend the session data can be read by the client.
@@ -373,17 +359,6 @@ Bundled serializers
See the :ref:`custom-serializers` section for more details on limitations
of JSON serialization.
-.. class:: serializers.PickleSerializer
-
- Supports arbitrary Python objects, but, as described above, can lead to a
- remote code execution vulnerability if :setting:`SECRET_KEY` or any key of
- :setting:`SECRET_KEY_FALLBACKS` becomes known by an attacker.
-
- .. deprecated:: 4.1
-
- Due to the risk of remote code execution, this serializer is deprecated
- and will be removed in Django 5.0.
-
.. _custom-serializers:
Write your own serializer