Alex proposed:
--- Pickle serializer has long been known to be dangerous. This is mitigated by requiring MAC on pickle in cookies, but nevertheless, RCEs continue to happen: https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/ To further discourage it's use, we should consider deprecating PickleSerializer and moving it into a third party package. https://code.djangoproject.com/ticket/29708 --- I don't see much advantage to a separate package for 10 lines of code: import pickle class PickleSerializer: """ Simple wrapper around pickle to be used in signing.dumps and signing.loads. """ protocol = pickle.HIGHEST_PROTOCOL def dumps(self, obj): return pickle.dumps(obj, self.protocol) def loads(self, data): return pickle.loads(data) I'm not sure that removing it from Django would improve security (since Django 1.6, JSONSerializer is the default session serializer). Thoughts? -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/37fe5ab5-6d30-45bd-8bdd-a11f0170209c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.