#35905: Sign (or encrypt) pickle cache traffic to protect against remote code
execution through cache takeover
-------------------------------------+-------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: New feature | Status: closed
Component: Core (Cache system) | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: cache security | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):
* resolution: => wontfix
* status: new => closed
* summary:
Please start signing (or encrypting) pickle cache traffic to protect
against remote code execution through cache takeover, by default
=>
Sign (or encrypt) pickle cache traffic to protect against remote code
execution through cache takeover
* type: Bug => New feature
Comment:
Hello again Sebastian,
I think the historic consensus has been that if the machine your cache
runs on is compromised, signing/encrypting the data will not help much,
and since a cache is supposed to be very fast, the performance overhead
isn't acceptable.
To propose a new feature like this, the proper channel is the
[https://forum.djangoproject.com/c/internals/5 Django Internals section of
Django forum] (which reaches a wider audience than.this ticket tracker).
If there is consensus to make a change, we'll reopen and accept this
ticket. Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/35905#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019320c8e35f-43b77348-08e0-4ec0-a848-7c9ed232259c-000000%40eu-central-1.amazonses.com.
