pickle is unsafe

[fxkr]

If the server secret leaks an attacker can forge cookies and get the server to unpickle them, which gives him remote code execution.

Therefore, something else should be used for serialization. Maybe json.

Proof of concept:

Python 2.7.1 (r271:86832, Jan  6 2011, 11:51:37) 
[GCC 4.5.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pickle; pickle.loads("cos\nsystem\n(S'whoami'\ntR.")
fxkr

[mitsuhiko]

Not a bug. Behavior of pickle is known, if one wants to use a different serialization system one can hook in simplejson with a single line change. Just override the serialization_method attribute of the secure cookie with the json module.

[fxkr]

How is that not a bug if knowing the server secret which is lying around in plaintext in a config file leads to remote code execution?

This can easily happen on a server with multiple users and incorrectly set file permissions, and I am fairly sure end users (!) will in most cases be unaware of the consequences of server secret compromittation. Ok, in that scenario it wouldn't be called remote code execution but privilege escalation (that other user can escalate to whatever user runs the web application).

I was aware of the fact that one can set serialization_method, but I believe pickle shouldn't be the default.

Your call though.

[mitsuhiko]

Werkzeug itself is compatible down to Python 2.4 where simplejson is not bundled. Thus that can't be the default in the first place. It would be an option to make it the default for Flask, that however would mean breaking backwards compatibility.

If anyone has access to your server files you have a few other issues as well. What I will do however is adding a warning to the documentation.

[fxkr]

Thanks.