Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #20444 -- Cookie-based sessions does not include a remote code …

…execution-warning
  • Loading branch information...
commit d5ce2ff5e485bf94fcade340bc803ba4671bd95a 1 parent 3634948
Erik Romijn authored May 18, 2013 aaugustin committed May 18, 2013

Showing 1 changed file with 11 additions and 0 deletions. Show diff stats Hide diff stats

  1. 11  docs/topics/http/sessions.txt
11  docs/topics/http/sessions.txt
@@ -125,6 +125,17 @@ and the :setting:`SECRET_KEY` setting.
125 125
 
126 126
 .. warning::
127 127
 
  128
+    **If the :setting:`SECRET_KEY` is not kept secret, this can lead to
  129
+    arbitrary remote code execution.**
  130
+
  131
+    An attacker in possession of the :setting:`SECRET_KEY` can not only
  132
+    generate falsified session data, which your site will trust, but also
  133
+    remotely execute arbitrary code, as the data is serialized using pickle.
  134
+
  135
+    If you use cookie-based sessions, pay extra care that your secret key is
  136
+    always kept completely secret, for any system which might be remotely
  137
+    accessible.
  138
+
128 139
     **The session data is signed but not encrypted**
129 140
 
130 141
     When using the cookies backend the session data can be read by the client.

0 notes on commit d5ce2ff

Please sign in to comment.
Something went wrong with that request. Please try again.