beaker.session.type = file was the default a few releases ago for that same reason. It has been changed due to people complaining that they were finishing file system inodes due to beaker sessions as they didn't provide a script to clean up sessions. The solution applied has been to change the default to cookie and let the developer choose his own way to manage sessions on the server.
We can probably add a warning to both cookie and file sessions making the user aware of the limits of both, but I would keep the default on cookie as it seems to satisfy more users as a default. On Fri, Jan 25, 2013 at 11:48 PM, Moritz Schlarb <[email protected]>wrote: > Hi there, > > beaker.session is (like most session frameworks) vulnerable to a > "malicious pickle" attack (if the attacker knows the secret key) when > cookies are used (which can lead to remote code execution). > Now, of course, the secret key is - as its name says - meant to be kept > secret and to be changed for every deployment, and the vulnerabilities > in the pickle protocol are also mentioned in the Python docs. > So, "normal" applications should be safe - as long as there is no > possibility for arbitrary file access. > Though, brute-force decrypting the cookie, looking for something that > looks like pickle'd data could be possible. > > But, as an easy solution is to just use beaker.session.type = file > instead of cookie, I think it could be worth either discussing changing > the default or at least mentioning this explicitly in a red box in the > documentation. ;) > - Especially since it also applies to apps that do not actively use > tg.session - since the session gets depickled anyways (and it such > cases, a developer might think that he doesn't need to care about the > secret key at all!). > > The vulnerabilities are described here: > http://vudang.com/2013/01/python-web-framework-from-lfr-to-rce/ and a > PoC for an exploit, that can be used is available here: > https://github.com/danghvu/pwp > > Regards, > Moritz > > -- > Moritz Schlarb > > -- > You received this message because you are subscribed to the Google Groups > "TurboGears" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/turbogears?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/turbogears?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
