September 10, 2013
This is Django 1.5.3, the third release in the Django 1.5 series. It addresses
one security issue and also contains an opt-in feature to enhance the security
of django.contrib.sessions
.
ssi
template tag¶In previous versions of Django it was possible to bypass the
ALLOWED_INCLUDE_ROOTS
setting used for security with the ssi
template tag by specifying a relative path that starts with one of the allowed
roots. For example, if ALLOWED_INCLUDE_ROOTS = ("/var/www",)
the following
would be possible:
{% ssi "/var/www/../../etc/passwd" %}
In practice this is not a very common problem, as it would require the template
author to put the ssi
file in a user-controlled variable, but it’s possible
in principle.
django.contrib.sessions
¶django.contrib.sessions
currently uses pickle
to serialize
session data before storing it in the backend. If you’re using the signed
cookie session backend and SECRET_KEY
is
known by an attacker (there isn’t an inherent vulnerability in Django that
would cause it to leak), the attacker could insert a string into their session
which, when unpickled, executes arbitrary code on the server. The technique for
doing so is simple and easily available on the internet. Although the cookie
session storage signs the cookie-stored data to prevent tampering, a
SECRET_KEY
leak immediately escalates to a remote code execution
vulnerability.
This attack can be mitigated by serializing session data using JSON rather
than pickle
. To facilitate this, Django 1.5.3 introduces a new setting,
SESSION_SERIALIZER
, to customize the session serialization format.
For backwards compatibility, this setting defaults to using pickle
.
While JSON serialization does not support all Python objects like pickle
does, we highly recommend switching to JSON-serialized values. Also,
as JSON requires string keys, you will likely run into problems if you are
using non-string keys in request.session
. See the
Session serialization documentation for more details.
Jul 28, 2023