Skip to content
Projeler
Gruplar
Parçacıklar
Yardım
Yükleniyor...
Oturum aç / Kaydol
Gezinmeyi değiştir
D
django
Proje
Proje
Ayrıntılar
Etkinlik
Cycle Analytics
Depo (repository)
Depo (repository)
Dosyalar
Kayıtlar (commit)
Dallar (branch)
Etiketler
Katkıda bulunanlar
Grafik
Karşılaştır
Grafikler
Konular (issue)
0
Konular (issue)
0
Liste
Pano
Etiketler
Kilometre Taşları
Birleştirme (merge) Talepleri
0
Birleştirme (merge) Talepleri
0
CI / CD
CI / CD
İş akışları (pipeline)
İşler
Zamanlamalar
Grafikler
Paketler
Paketler
Wiki
Wiki
Parçacıklar
Parçacıklar
Üyeler
Üyeler
Collapse sidebar
Close sidebar
Etkinlik
Grafik
Grafikler
Yeni bir konu (issue) oluştur
İşler
Kayıtlar (commit)
Konu (issue) Panoları
Kenar çubuğunu aç
Batuhan Osman TASKAYA
django
Commits
956df84a
Kaydet (Commit)
956df84a
authored
Agu 27, 2015
tarafından
Tim Graham
Dosyalara gözat
Seçenekler
Dosyalara Gözat
İndir
Eposta Yamaları
Sade Fark
Removed historical note about session serialization.
üst
e8cbc2b3
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
13 additions
and
19 deletions
+13
-19
sessions.txt
docs/topics/http/sessions.txt
+13
-19
No files found.
docs/topics/http/sessions.txt
Dosyayı görüntüle @
956df84a
...
...
@@ -319,28 +319,22 @@ You can edit it multiple times.
Session serialization
---------------------
Before version 1.6, Django defaulted to using :mod:`pickle` to serialize
session data before storing it in the backend. If you're using the :ref:`signed
cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is
known by an attacker (there isn't an inherent vulnerability in Django that
would cause it to leak), the attacker could insert a string into their session
which, when unpickled, executes arbitrary code on the server. The technique for
doing so is simple and easily available on the internet. Although the cookie
session storage signs the cookie-stored data to prevent tampering, a
:setting:`SECRET_KEY` leak immediately escalates to a remote code execution
vulnerability.
This attack can be mitigated by serializing session data using JSON rather
than :mod:`pickle`. To facilitate this, Django 1.5.3 introduced a new setting,
:setting:`SESSION_SERIALIZER`, to customize the session serialization format.
For backwards compatibility, this setting defaults to
using :class:`django.contrib.sessions.serializers.PickleSerializer` in
Django 1.5.x, but, for security hardening, defaults to
:class:`django.contrib.sessions.serializers.JSONSerializer` in Django 1.6.
Even with the caveats described in :ref:`custom-serializers`, we highly
By default, Django serializes session data using JSON. You can use the
:setting:`SESSION_SERIALIZER` setting to customize the session serialization
format. Even with the caveats described in :ref:`custom-serializers`, we highly
recommend sticking with JSON serialization *especially if you are using the
cookie backend*.
For example, here's an attack scenario if you use :mod:`pickle` to serialize
session data. If you're using the :ref:`signed cookie session backend
<cookie-session-backend>` and :setting:`SECRET_KEY` is known by an attacker
(there isn't an inherent vulnerability in Django that would cause it to leak),
the attacker could insert a string into their session which, when unpickled,
executes arbitrary code on the server. The technique for doing so is simple and
easily available on the internet. Although the cookie session storage signs the
cookie-stored data to prevent tampering, a :setting:`SECRET_KEY` leak
immediately escalates to a remote code execution vulnerability.
Bundled Serializers
^^^^^^^^^^^^^^^^^^^
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
