Hi Paul, the initial patch indeed used JSON to dump the data, but while probably beeing more secure it had some drawbacks which do need consideration: The JSON backend didn't allow serialization of arbitrary data, as such it was different to all the other backends which do allow it -- which means this backend isn't a dropin replacement. Since Django only supports one SESSION_ENGINE this might cause problems to some people, although I do think if your session stores more than let's say some ids and messages you are probably doing it wrong after all (At least in the lieu of cookie based session).
So either way, if we change it we need some notes in the documentation saying that this backend isn't compatible with the other backends… Cheers, Florian P.S.: Btw, if you leak your secret key, you can get an admin user with a json backend too, while not being remote code execution it's still something I would consider as catastrophic as code execution in most of my projects. Oh and I know I am moving to thin ice now, but I'd still like to know: To my understanding pickle doesn't necessarily allow arbitrary code execution, I mean you can't stuff code into it, you can just control how and which objects are loaded into the session -- which can be worse enough depending on how those objects are used later on. Please correct me if I am wrong here, I am not trying to argue that pickle would be save to use, but would like to understand how such an attack would look like -- so I would appreciate if you could give a more or less concrete example -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/jxZ9pPehuNoJ. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
