Please sign in to comment.
Do not use pickle for serialization in memcache, but JSON
We don't want to use pickle as it can execute arbitrary code. JSON is safer. However, note that it supports serialization for only some specific subset of object types; this should be enough for what we need, though. To avoid issues on upgrades (unability to read pickled values, and cache poisoning for old servers not understanding JSON), we add a memcache_serialization_support configuration option, with the following values: 0 = older, insecure pickle serialization 1 = json serialization but pickles can still be read (still insecure) 2 = json serialization only (secure and the default) To avoid an instant full cache flush, existing installations should upgrade with 0, then set to 1 and reload, then after some time (24 hours) set to 2 and reload. Support for 0 and 1 will be removed in future versions. Part of bug 1006414. Change-Id: Id7d6d547b103b4f23ebf5be98b88f09ec6027ce4
- Loading branch information...
Showing with 125 additions and 17 deletions.