On 2014-05-21 16:44, Erik Romijn wrote:
> > Could you elaborate on how such remote-code execution would
> > happen?  
> 
> If you use Django's cookie-based sessions[1], knowledge of the
> SECRET_KEY allows an attacker to forge a cookie with session data.
> Forging sessions is bad enough, but if you combine this with
> PickleSerializer[2], that escalates to remote code execution:
> pickle is flexible but also unsafe: it's fairly simple to fabricate
> data that, when unpickled, executes particular Python code. This is
> why one must never unpickle data from an untrusted source.

I know not to (and don't) use Pickle for that reason, but if Django is
using it and trusting the SECRET_KEY to protect it, that makes perfect
sense. Thanks!

-tkc



-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/20140521120129.091f9cfd%40bigbox.christie.dr.
For more options, visit https://groups.google.com/d/optout.

Reply via email to