Re: Deprecate PickleSerializer for session serialization?

2018-08-26 Thread Claude Paroz 
Le dimanche 26 août 2018 13:36:41 UTC+2, James Bennett a écrit :
>
> The only use case for pickle that I'm aware of is "I need a way to add a 
> security hole to my site". So let's just get rid of it.
>

Out of memory, I think they were cases when some types were not 
JSON-serializable.

Claude 

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/d967c505-cc95-4275-b720-c981a5b42f91%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Deprecate PickleSerializer for session serialization?

2018-08-26 Thread Adam Johnson 


On Sun, 26 Aug 2018 at 20:10, Florian Apolloner 
wrote:

> Yes, lets deprecate and remove it. No 3rd party package from Django
> itself, if someone wants it, they should write one.
>
> On Sunday, August 26, 2018 at 3:57:20 PM UTC+2, Adam Johnson wrote:
>>
>> +1 to deprecate. Maybe we deprecate and remove it, and some user makes a
>> third party package if they so wish?
>>
>> On Sun, 26 Aug 2018 at 13:36, James Bennett  wrote:
>>
>>> The only use case for pickle that I'm aware of is "I need a way to add a
>>> security hole to my site". So let's just get rid of it.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-develop...@googlegroups.com.
>>> To post to this group, send email to django-d...@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/django-developers.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-developers/CAL13Cg_0PragWeEqX4fZhMLi0nr_zC-Dn_rRG-7k%3D17A%3DNgC1g%40mail.gmail.com
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>> --
>> Adam
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/3d3e5245-ca1f-4985-9437-853ea64135d7%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM2DMrqsf%3DdYPe6XpEoXq6Sw_md2md22L9rSReeMzXnS4A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Deprecate PickleSerializer for session serialization?

2018-08-26 Thread Florian Apolloner 
Yes, lets deprecate and remove it. No 3rd party package from Django itself, 
if someone wants it, they should write one.

On Sunday, August 26, 2018 at 3:57:20 PM UTC+2, Adam Johnson wrote:
>
> +1 to deprecate. Maybe we deprecate and remove it, and some user makes a 
> third party package if they so wish?
>
> On Sun, 26 Aug 2018 at 13:36, James Bennett  > wrote:
>
>> The only use case for pickle that I'm aware of is "I need a way to add a 
>> security hole to my site". So let's just get rid of it.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com .
>> To post to this group, send email to django-d...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/CAL13Cg_0PragWeEqX4fZhMLi0nr_zC-Dn_rRG-7k%3D17A%3DNgC1g%40mail.gmail.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> -- 
> Adam
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/3d3e5245-ca1f-4985-9437-853ea64135d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Deprecate PickleSerializer for session serialization?

2018-08-26 Thread Adam Johnson 
+1 to deprecate. Maybe we deprecate and remove it, and some user makes a
third party package if they so wish?

On Sun, 26 Aug 2018 at 13:36, James Bennett  wrote:

> The only use case for pickle that I'm aware of is "I need a way to add a
> security hole to my site". So let's just get rid of it.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAL13Cg_0PragWeEqX4fZhMLi0nr_zC-Dn_rRG-7k%3D17A%3DNgC1g%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM0hNmH01L_CPvo6pS99X_PeYwcJye1KT4KjsxBYorZyMw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Deprecate PickleSerializer for session serialization?

2018-08-26 Thread James Bennett 
The only use case for pickle that I'm aware of is "I need a way to add a
security hole to my site". So let's just get rid of it.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAL13Cg_0PragWeEqX4fZhMLi0nr_zC-Dn_rRG-7k%3D17A%3DNgC1g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Deprecate PickleSerializer for session serialization?

2018-08-25 Thread Shai Berger 
On Sat, 25 Aug 2018 11:56:02 -0400
Michael Manfre  wrote:

> Anyone who uses it after reading the warning would likely still use
> it if it were in another package. A separate package is another "Are
> you sure?" step that they would likely ignore.

I disagree -- a separate package means that the idea of pickling the
session object into a cookie is removed from the Django documentation,
making people much less likely to stumble upon it and much more likely
to use safer serializations in relevant use-cases. It's not just an
"Are you sure?" -- they'd have to actively look for it.

+1 for footgun removal,

Shai.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/20180826000928.010da0fb.shai%40platonix.com.
For more options, visit https://groups.google.com/d/optout.

Re: Deprecate PickleSerializer for session serialization?

2018-08-25 Thread Michael Manfre 
I have no strong opinion about keeping it verse moving it. The docs already
provide a sufficient warning about the risks of using it. Anyone who uses
it after reading the warning would likely still use it if it were in
another package. A separate package is another "Are you sure?" step that
they would likely ignore.

Regards,
Michael Manfre

On Sat, Aug 25, 2018 at 9:12 AM Tim Graham  wrote:

> Alex proposed:
>
> ---
>
> Pickle serializer has long been known to be dangerous. This is mitigated
> by requiring MAC on pickle in cookies, but nevertheless, RCEs continue to
> happen: ​
> https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/
>
>
> To further discourage it's use, we should consider deprecating
> PickleSerializer and moving it into a third party package.
>
> https://code.djangoproject.com/ticket/29708
> ---
>
> I don't see much advantage to a separate package for 10 lines of code:
>
> import pickle
>
> class PickleSerializer:
> """
> Simple wrapper around pickle to be used in signing.dumps and
> signing.loads.
> """
> protocol = pickle.HIGHEST_PROTOCOL
>
> def dumps(self, obj):
> return pickle.dumps(obj, self.protocol)
>
> def loads(self, data):
> return pickle.loads(data)
>
> I'm not sure that removing it from Django would improve security (since
> Django 1.6, JSONSerializer is the default session serializer). Thoughts?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/37fe5ab5-6d30-45bd-8bdd-a11f0170209c%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAGdCwBvCPMa0nuwdJcwSNtjBRhfHgoF%2Bx-j2t4m7r2nRZi6fGw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Deprecate PickleSerializer for session serialization?

2018-08-25 Thread Tim Graham 


Alex proposed:

---

Pickle serializer has long been known to be dangerous. This is mitigated by 
requiring MAC on pickle in cookies, but nevertheless, RCEs continue to 
happen: ​
https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/


To further discourage it's use, we should consider deprecating 
PickleSerializer and moving it into a third party package.

https://code.djangoproject.com/ticket/29708
---

I don't see much advantage to a separate package for 10 lines of code:

import pickle

class PickleSerializer:
"""
Simple wrapper around pickle to be used in signing.dumps and
signing.loads.
"""
protocol = pickle.HIGHEST_PROTOCOL

def dumps(self, obj):
return pickle.dumps(obj, self.protocol)

def loads(self, data):
return pickle.loads(data)

I'm not sure that removing it from Django would improve security (since 
Django 1.6, JSONSerializer is the default session serializer). Thoughts?

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/37fe5ab5-6d30-45bd-8bdd-a11f0170209c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.