I tried making it more clear in the documentation: https://github.com/TurboGears/tg2docs/pull/19
Am Samstag, 26. Januar 2013 11:21:37 UTC+1 schrieb Alessandro Molina: > > beaker.session.type = file was the default a few releases ago for that > same reason. > It has been changed due to people complaining that they were finishing > file system inodes due to beaker sessions as they didn't provide a script > to clean up sessions. > The solution applied has been to change the default to cookie and let the > developer choose his own way to manage sessions on the server. > > We can probably add a warning to both cookie and file sessions making the > user aware of the limits of both, but I would keep the default on cookie as > it seems to satisfy more users as a default. > > > On Fri, Jan 25, 2013 at 11:48 PM, Moritz Schlarb > <[email protected]<javascript:> > > wrote: > >> Hi there, >> >> beaker.session is (like most session frameworks) vulnerable to a >> "malicious pickle" attack (if the attacker knows the secret key) when >> cookies are used (which can lead to remote code execution). >> Now, of course, the secret key is - as its name says - meant to be kept >> secret and to be changed for every deployment, and the vulnerabilities >> in the pickle protocol are also mentioned in the Python docs. >> So, "normal" applications should be safe - as long as there is no >> possibility for arbitrary file access. >> Though, brute-force decrypting the cookie, looking for something that >> looks like pickle'd data could be possible. >> >> But, as an easy solution is to just use beaker.session.type = file >> instead of cookie, I think it could be worth either discussing changing >> the default or at least mentioning this explicitly in a red box in the >> documentation. ;) >> - Especially since it also applies to apps that do not actively use >> tg.session - since the session gets depickled anyways (and it such >> cases, a developer might think that he doesn't need to care about the >> secret key at all!). >> >> The vulnerabilities are described here: >> http://vudang.com/2013/01/python-web-framework-from-lfr-to-rce/ and a >> PoC for an exploit, that can be used is available here: >> https://github.com/danghvu/pwp >> >> Regards, >> Moritz >> >> -- >> Moritz Schlarb >> >> -- >> You received this message because you are subscribed to the Google Groups >> "TurboGears" group. >> To post to this group, send email to [email protected]<javascript:> >> . >> To unsubscribe from this group, send email to >> [email protected] <javascript:>. >> Visit this group at http://groups.google.com/group/turbogears?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/turbogears?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
