diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-01-12 14:43:48 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-01-17 11:49:15 +0100 |
| commit | b119f4329c2a4878f1c72f4d25d193d080792f62 (patch) | |
| tree | 9ce167ad86124abbcd328b73760eb6e6dc288b63 /docs | |
| parent | 23c87874397a22ca80c0d6fa8648fb58ee3ab28a (diff) | |
Refs #29708 -- Removed PickleSerializer per deprecation timeline.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/5.0.txt | 2 | ||||
| -rw-r--r-- | docs/topics/http/sessions.txt | 25 |
2 files changed, 2 insertions, 25 deletions
diff --git a/docs/releases/5.0.txt b/docs/releases/5.0.txt index fb052b77f1..d39b8d314a 100644 --- a/docs/releases/5.0.txt +++ b/docs/releases/5.0.txt @@ -317,3 +317,5 @@ to remove usage of these features. * The undocumented ability to pass ``errors=None`` to ``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` is removed. + +* ``django.contrib.sessions.serializers.PickleSerializer`` is removed. diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index 4dc6f6af35..fd2f106739 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -122,20 +122,6 @@ and the :setting:`SECRET_KEY` setting. .. warning:: - **If the** ``SECRET_KEY`` **or** ``SECRET_KEY_FALLBACKS`` **are not kept - secret and you are using the** - ``django.contrib.sessions.serializers.PickleSerializer``, **this can lead - to arbitrary remote code execution.** - - An attacker in possession of the :setting:`SECRET_KEY` or - :setting:`SECRET_KEY_FALLBACKS` can not only generate falsified session - data, which your site will trust, but also remotely execute arbitrary code, - as the data is serialized using pickle. - - If you use cookie-based sessions, pay extra care that your secret key is - always kept completely secret, for any system which might be remotely - accessible. - **The session data is signed but not encrypted** When using the cookies backend the session data can be read by the client. @@ -373,17 +359,6 @@ Bundled serializers See the :ref:`custom-serializers` section for more details on limitations of JSON serialization. -.. class:: serializers.PickleSerializer - - Supports arbitrary Python objects, but, as described above, can lead to a - remote code execution vulnerability if :setting:`SECRET_KEY` or any key of - :setting:`SECRET_KEY_FALLBACKS` becomes known by an attacker. - - .. deprecated:: 4.1 - - Due to the risk of remote code execution, this serializer is deprecated - and will be removed in Django 5.0. - .. _custom-serializers: Write your own serializer |
