Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #20444 -- Cookie-based sessions does not include a remote code …

…execution-warning
  • Loading branch information...
commit d5ce2ff5e485bf94fcade340bc803ba4671bd95a 1 parent 3634948
@erikr erikr authored aaugustin committed
Showing with 11 additions and 0 deletions.
  1. +11 −0 docs/topics/http/sessions.txt
View
11 docs/topics/http/sessions.txt
@@ -125,6 +125,17 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
+ **If the :setting:`SECRET_KEY` is not kept secret, this can lead to
+ arbitrary remote code execution.**
+
+ An attacker in possession of the :setting:`SECRET_KEY` can not only
+ generate falsified session data, which your site will trust, but also
+ remotely execute arbitrary code, as the data is serialized using pickle.
+
+ If you use cookie-based sessions, pay extra care that your secret key is
+ always kept completely secret, for any system which might be remotely
+ accessible.
+
**The session data is signed but not encrypted**
When using the cookies backend the session data can be read by the client.

0 comments on commit d5ce2ff

Please sign in to comment.
Something went wrong with that request. Please try again.