From 2b750fff5653781f07e65a54a99e7da66361ec9e Mon Sep 17 00:00:00 2001 From: Erik Romijn Date: Sat, 18 May 2013 16:35:39 +0200 Subject: [PATCH] [1.5.x] Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning Backport of d5ce2ff5e4 from master --- docs/topics/http/sessions.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index 03692fb1fd..0e6df4a076 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -124,6 +124,17 @@ and the :setting:`SECRET_KEY` setting. .. warning:: + **If the :setting:`SECRET_KEY` is not kept secret, this can lead to + arbitrary remote code execution.** + + An attacker in possession of the :setting:`SECRET_KEY` can not only + generate falsified session data, which your site will trust, but also + remotely execute arbitrary code, as the data is serialized using pickle. + + If you use cookie-based sessions, pay extra care that your secret key is + always kept completely secret, for any system which might be remotely + accessible. + **The session data is signed but not encrypted** When using the cookies backend the session data can be read by the client.