Re: Default session data serializer doesn't support extended data types

On Friday, September 20, 2013 4:40:39 PM UTC+2, Curtis Maloney wrote: > I talked with the OP [or someone who talks a _lot_ like the OP:)] > Oh, I should meet this animal–pardon, this guy. :) And the answer is: there's no way for a matching Decoder to know when to > decode any of these types, si

Re: Default session data serializer doesn't support extended data types

On Friday, September 20, 2013 3:59:47 PM UTC+2, Donald Stufft wrote: > > A basic tenant in securing systems is that you make each piece of the > system responsible for it's own security and you don't have it depend on > the security of another system. Moving away from pickle as the default > se

Re: Default session data serializer doesn't support extended data types

On Friday, September 20, 2013 4:40:39 PM UTC+2, Curtis Maloney wrote: > > And the answer is: there's no way for a matching Decoder to know when to > decode any of these types, since there's no schema available. > Good point, it would be doable by serializing into something like '{_type: dateti

Re: Default session data serializer doesn't support extended data types

On Friday, September 20, 2013 3:52:30 PM UTC+2, Davide Rizzo wrote: > > On Friday, September 20, 2013 2:55:33 PM UTC+2, Florian Apolloner wrote: >> >> Btw could it be that you are mixing out Encoder and Serializer? >> > > No, I say Serializer when I mean... well, a serializer, as specified by >

Re: Default session data serializer doesn't support extended data types

I talked with the OP [or someone who talks a _lot_ like the OP:)] on IRC about this issue before recommending they open a ticket... and aside from anything else discussed, since someone already saw fit to include an extended JSONEncoder class in core/serializers, why doesn't the session machinery r

Re: Default session data serializer doesn't support extended data types

On Sep 20, 2013, at 9:52 AM, Davide Rizzo wrote: > The examples you mentioned (forms, admin) were significant improvements > themselves, with big benefits to Django users. Switching the default session > serializer to JSONSerializer is providing no benefit to any user. It's > addressing a sec

Re: Default session data serializer doesn't support extended data types

On Friday, September 20, 2013 2:55:33 PM UTC+2, Florian Apolloner wrote: > > > Btw could it be that you are mixing out Encoder and Serializer? > No, I say Serializer when I mean... well, a serializer, as specified by SESSION_SERIALIZER. I say Encoder when I mean the Encoder class used by JSONS

Re: Default session data serializer doesn't support extended data types

On Friday, September 20, 2013 10:24:00 AM UTC+2, Davide Rizzo wrote: > > - using the raw JSONEncoder by default is not offering any significant > security advantage over using an extended encoder. I feel like it's going > to discourage coders to use JSONSerializer at all. > Btw could it be tha

Re: Default session data serializer doesn't support extended data types

Hi Tim, Indeed I looked at the comments in the ticket and pull request. I don't feel like these changes provide a significant security improvement: - using JSONSerializer over PickleSerializer is only relevant if you are using any non-default configuration that allows session data to be tampere

Re: Default session data serializer doesn't support extended data types

Hi Davide, Did you take a look at the design decisions as described in the ticket and pull request? We made these decisions in order to push the community toward developing more secure apps and the transition isn't expected to be painless. We had several core developers review the patch and dis

Re: Default session data serializer doesn't support extended data types

Hi Davide, On Thursday, September 19, 2013 4:46:44 PM UTC+2, Davide Rizzo wrote: > > The inconvenience is breaking compatibility with all third party apps that > rely on storing extended data types (such as those supported by > DjangoJSONEncoder) with the default settings. Properly serializing d

Default session data serializer doesn't support extended data types

#20922 introduced the option to choose a custom session data serializer. The default option is to use the new JSONSerializer starting from 1.6, since using pickle would lead to a remote code execution vulnerability when session data is stored in coo