Comments (11)
Alternatively, perhaps just switching to this:
http://home.gna.org/oomadness/en/cerealizer/index.html
And forcing people to register any class they want to serialize?
from beaker.
For most use cases the json module is able to serialize and deserialize most data people store inside their sessions.
Would it be a feasible solution to use json by default and provide a configuration option to change serialization backend until it supports the loads/dumps functions?
from beaker.
I'd go with JSON.
On Apr 18, 2013, at 21:29 , Alessandro Molina [email protected] wrote:
For most use cases the json module is able to serialize and deserialize most data people store inside their sessions.
Would it be a feasible solution to use json by default and provide a configuration option to change serialization backend until it supports the loads/dumps functions?—
Reply to this email directly or view it on GitHub.
from beaker.
Any reason why the above patch #56 is not applied yet? We just had a security review of a Pyramid app and the cookie pickle article was mentioned in the review. I kind of was hoping Beaker had resolved this issue by now.
from beaker.
If you're already using pyramid, I'd highly suggest using its cookie session facility. I haven't really had time that I've wanted to spend going through Beaker issues lately which is the main reason it hasn't been applied yet. The session is always signed which reduces the odd's that someone is going to fabricate a payload that will be unpickled (they'd have to know your secret key to sign it properly). If however they were able to do that, it would definitely be bad that remote code could be run as a result.
I will see if I am able to spend some time on Beaker this upcoming week.
from beaker.
Just as a quick update, I ended up manually applying this patch #56 and used json as session serialisation method, in hope it would have been ok, but after a second security review of our code they were still not happy because in the deserialize() method of that patch it tries to use pickle first and then falls back to json if the depickle fails, therefore not fixing the security issue.
I really don't want to have to keep a fork beaker for a little thing like this, and to be honest I don't think this is even necessary, and as big of a deal as they make it out to be, that beaker is using pickle for session serialisation.
I am going to try to argue that this whole thing is somewhat pointless because it requires the secret key to be compromised and if that happens, you got much bigger problems, but also I am really hoping that beaker can get support for json as a serializer in the future.
from beaker.
@robvdl I sort of agree, however, there has been a decent amount of arbitrary directory traversal bugs in various pieces of software. So it doesn't seem too far-fetched using one of those, to pick out a secret key, and then using this bug, you can do remote code execution.
I don't know how likely such a thing is, but it definitely means that a directory traversal bug could quickly become a remote code execution issue.
from beaker.
I have been looking at patch #56 and in the deserialize() method it already gets a "method" argument, which can be checked, instead of trying pickle first and THEN if that fails using json
from beaker.
I've created an updated pull request for this, #65, which is based on #56 but does not try to use pickle first in the deserialize function and fall back to json if it fails.
Instead it makes use of the 'method' argument of the deserialize function.
from beaker.
Looks like my pull request #65 got merged, that is nice, and means this ticked can be closed.
from beaker.
Yep, merged it and tweaked it to cope with the recent changes to support python3.
Sorry if I messed up during the merge conflicts resolution and it ended up being a plain commit instead of a merge :)
from beaker.
Related Issues (20)
- Python 3.10 : Threading related deprecations HOT 1
- 1.11.0: test suite is failing HOT 1
- Beaker Maintainership
- Incapable to disable cache after modified region settings
- Resource consumption dos from way back
- Update beaker in pip
- 1.11.0: test suite uses outdated `nose` module HOT 2
- License file is missing in package
- Does it supports Python 3.9 version? HOT 1
- Deserialization of Untrusted Data
- Using cache.type='ext:database' doesn't work in V 1.12.0 HOT 6
- Error when loading session from 1.11 on 1.12
- CVE-2013-7489
- when "cookie: null;beaker.session.id=a70c9bbdcf6242f393de98847a4982ca"
- Some much-needed features about caching HOT 1
- How can i update expire time per call or refresh page
- Can't connect to several nodes and/or in cluster mode HOT 1
- 1.12.1 + master (91aa4d89): pytest fails HOT 5
- RFE: drop python<=3.7 support HOT 5
- beaker.session class documentation wrong about cookie_expires (expiration of the session cookie)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from beaker.