On 2014-05-21 16:44, Erik Romijn wrote: > > Could you elaborate on how such remote-code execution would > > happen? > > If you use Django's cookie-based sessions[1], knowledge of the > SECRET_KEY allows an attacker to forge a cookie with session data. > Forging sessions is bad enough, but if you combine this with > PickleSerializer[2], that escalates to remote code execution: > pickle is flexible but also unsafe: it's fairly simple to fabricate > data that, when unpickled, executes particular Python code. This is > why one must never unpickle data from an untrusted source.
I know not to (and don't) use Pickle for that reason, but if Django is using it and trusting the SECRET_KEY to protect it, that makes perfect sense. Thanks! -tkc -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20140521120129.091f9cfd%40bigbox.christie.dr. For more options, visit https://groups.google.com/d/optout.
