From 956df84a613d4b9a92c979e46557243d288282c8 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Thu, 27 Aug 2015 09:55:53 -0400 Subject: [PATCH] Removed historical note about session serialization. --- docs/topics/http/sessions.txt | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index 36c504ba40..3a825f28cb 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -319,28 +319,22 @@ You can edit it multiple times. Session serialization --------------------- -Before version 1.6, Django defaulted to using :mod:`pickle` to serialize -session data before storing it in the backend. If you're using the :ref:`signed -cookie session backend` and :setting:`SECRET_KEY` is -known by an attacker (there isn't an inherent vulnerability in Django that -would cause it to leak), the attacker could insert a string into their session -which, when unpickled, executes arbitrary code on the server. The technique for -doing so is simple and easily available on the internet. Although the cookie -session storage signs the cookie-stored data to prevent tampering, a -:setting:`SECRET_KEY` leak immediately escalates to a remote code execution -vulnerability. - -This attack can be mitigated by serializing session data using JSON rather -than :mod:`pickle`. To facilitate this, Django 1.5.3 introduced a new setting, -:setting:`SESSION_SERIALIZER`, to customize the session serialization format. -For backwards compatibility, this setting defaults to -using :class:`django.contrib.sessions.serializers.PickleSerializer` in -Django 1.5.x, but, for security hardening, defaults to -:class:`django.contrib.sessions.serializers.JSONSerializer` in Django 1.6. -Even with the caveats described in :ref:`custom-serializers`, we highly +By default, Django serializes session data using JSON. You can use the +:setting:`SESSION_SERIALIZER` setting to customize the session serialization +format. Even with the caveats described in :ref:`custom-serializers`, we highly recommend sticking with JSON serialization *especially if you are using the cookie backend*. +For example, here's an attack scenario if you use :mod:`pickle` to serialize +session data. If you're using the :ref:`signed cookie session backend +` and :setting:`SECRET_KEY` is known by an attacker +(there isn't an inherent vulnerability in Django that would cause it to leak), +the attacker could insert a string into their session which, when unpickled, +executes arbitrary code on the server. The technique for doing so is simple and +easily available on the internet. Although the cookie session storage signs the +cookie-stored data to prevent tampering, a :setting:`SECRET_KEY` leak +immediately escalates to a remote code execution vulnerability. + Bundled Serializers ^^^^^^^^^^^^^^^^^^^