On Sep 20, 2013, at 9:52 AM, Davide Rizzo <[email protected]> wrote: > The examples you mentioned (forms, admin) were significant improvements > themselves, with big benefits to Django users. Switching the default session > serializer to JSONSerializer is providing no benefit to any user. It's > addressing a security problem (which is already documented) that only a few > users have (can you provide a big^H^H^H list of users who use signed cookies > but can't add a SESSION_SERIALIZER setting next to their > SESSION_COOKIE_HTTPONLY and SESSION_COOKIE_SECURE settings?).
This isn't exactly true. While it *is* true that the biggest risk to using pickle as the session serialization is if you're using the cookie storage engine, it is *not* true that it is the only place that it can be attacked. Particularly it can be used to daisy chain from a compromised database, memcache, redis, etc host (wherever you're storing your sessions) to exploiting the app server. A basic tenant in securing systems is that you make each piece of the system responsible for it's own security and you don't have it depend on the security of another system. Moving away from pickle as the default serialization engine ensures this property for the storage of session data. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
