On 20 May 2014, at 22:27, Tim Chase <django.us...@tim.thechases.com> wrote: >> And yes, it is very important to keep it secret. The worst case >> scenario for secret key leakage, in particular configurations, is >> arbitrary remote code execution. > > Could you elaborate on how such remote-code execution would happen?
If you use Django's cookie-based sessions[1], knowledge of the SECRET_KEY allows an attacker to forge a cookie with session data. Forging sessions is bad enough, but if you combine this with PickleSerializer[2], that escalates to remote code execution: pickle is flexible but also unsafe: it's fairly simple to fabricate data that, when unpickled, executes particular Python code. This is why one must never unpickle data from an untrusted source. PickleSerializer was the only option in Django<1.5, default option in Django 1.6, and non-default option in Django 1.7+, for this reason. As far as I know, cookie-backed sessions have never been the default in Django. See my blog[3] for a more extensive description and a proof of concept based on Flask. On 21 May 2014, at 16:03, Henning Sprang <henning.spr...@gmail.com> wrote: > As of the location where to document it, I stumbled about it in the > "deployment checklist" part of the docs, there was only said it's > important to keep it secret while those further questions kept > unanswered - so when adding more info, you might also put a link on > the deployment pages when working on it anyway. Thanks for the suggestion, that would be useful indeed. cheers, Erik [1] https://docs.djangoproject.com/en/1.6/topics/http/sessions/#using-cookie-based-sessions [2] https://docs.djangoproject.com/en/1.6/topics/http/sessions/#session-serialization [3] http://erik.io/blog/2013/04/26/proof-of-concept-arbitrary-remote-code-execution-pickle-sessions/ -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/652F9C27-15F3-48BC-930E-E0E5EA766A25%40solidlinks.nl. For more options, visit https://groups.google.com/d/optout.
