Skip to content

Commit

Permalink
[1.6.x] Fixed #21002 -- Documented JSON session serialization require…
Browse files Browse the repository at this point in the history
…s string keys

Thanks jeroen.pulles at redslider.net for the report.

Backport of 3baf1d1 from master
  • Loading branch information
timgraham committed Sep 3, 2013
1 parent b53ce2f commit c0fb6bd
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 5 deletions.
7 changes: 5 additions & 2 deletions docs/releases/1.6.txt
Original file line number Diff line number Diff line change
Expand Up @@ -745,7 +745,8 @@ Default session serialization switched to JSON
Historically, :mod:`django.contrib.sessions` used :mod:`pickle` to serialize
session data before storing it in the backend. If you're using the :ref:`signed
cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is
known by an attacker, the attacker could insert a string into his session
known by an attacker (there isn't an inherent vulnerability in Django that
would cause it to leak), the attacker could insert a string into his session
which, when unpickled, executes arbitrary code on the server. The technique for
doing so is simple and easily available on the internet. Although the cookie
session storage signs the cookie-stored data to prevent tampering, a
Expand All @@ -759,7 +760,9 @@ For backwards compatibility, this setting defaulted to using :mod:`pickle`
in Django 1.5.3, but we've changed the default to JSON in 1.6. If you upgrade
and switch from pickle to JSON, sessions created before the upgrade will be
lost. While JSON serialization does not support all Python objects like
:mod:`pickle` does, we highly recommend using JSON-serialized sessions. See the
:mod:`pickle` does, we highly recommend using JSON-serialized sessions. Also,
as JSON requires string keys, you will likely run into problems if you are
using non-string keys in ``request.session``. See the
:ref:`session_serialization` documentation for more details.

Miscellaneous
Expand Down
20 changes: 17 additions & 3 deletions docs/topics/http/sessions.txt
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,8 @@ Session serialization
Before version 1.6, Django defaulted to using :mod:`pickle` to serialize
session data before storing it in the backend. If you're using the :ref:`signed
cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is
known by an attacker, the attacker could insert a string into his session
known by an attacker (there isn't an inherent vulnerability in Django that
would cause it to leak), the attacker could insert a string into his session
which, when unpickled, executes arbitrary code on the server. The technique for
doing so is simple and easily available on the internet. Although the cookie
session storage signs the cookie-stored data to prevent tampering, a
Expand All @@ -349,8 +350,21 @@ Bundled Serializers
.. class:: serializers.JSONSerializer

A wrapper around the JSON serializer from :mod:`django.core.signing`. Can
only serialize basic data types. See the :ref:`custom-serializers` section
for more details.
only serialize basic data types.

In addition, as JSON supports only string keys, note that using non-string
keys in ``request.session`` won't work as expected::

>>> # initial assignment
>>> request.session[0] = 'bar'
>>> # subsequent requests following serialization & deserialization
>>> # of session data
>>> request.session[0] # KeyError
>>> request.session['0']
'bar'

See the :ref:`custom-serializers` section for more details on limitations
of JSON serialization.

.. class:: serializers.PickleSerializer

Expand Down

0 comments on commit c0fb6bd

Please sign in to comment.