Woah! That monkeypatch is quite awesome! :D And as another variant, for those that don't even use the session, they can simply disable the Middleware as described here: https://github.com/TurboGears/tg2/blob/master/tg/configuration/app_config.py#L775
Thanks for merging, Alessandro. Am Samstag, 26. Januar 2013 17:02:32 UTC+1 schrieb Alessandro Molina: > > Thanks! > I'll try to merge it as soon as possible. > > For people that feel the need to make themselves totally safe from pickle > based remote execution, it is also possible to monkeypatch beaker from the > app_cfg.py so that it uses json. > > import beaker.util, json > beaker.util.pickle = json > > As json and pickle share the dumps/loads methods and float/int/str types > are supported on both storing and recovering the session will work using > json. > > > > On Sat, Jan 26, 2013 at 1:50 PM, Moritz Schlarb > <[email protected]<javascript:> > > wrote: > >> I tried making it more clear in the documentation: >> https://github.com/TurboGears/tg2docs/pull/19 >> >> Am Samstag, 26. Januar 2013 11:21:37 UTC+1 schrieb Alessandro Molina: >>> >>> beaker.session.type = file was the default a few releases ago for that >>> same reason. >>> It has been changed due to people complaining that they were finishing >>> file system inodes due to beaker sessions as they didn't provide a script >>> to clean up sessions. >>> The solution applied has been to change the default to cookie and let >>> the developer choose his own way to manage sessions on the server. >>> >>> We can probably add a warning to both cookie and file sessions making >>> the user aware of the limits of both, but I would keep the default on >>> cookie as it seems to satisfy more users as a default. >>> >>> >>> On Fri, Jan 25, 2013 at 11:48 PM, Moritz Schlarb < >>> [email protected]> wrote: >>> >>>> Hi there, >>>> >>>> beaker.session is (like most session frameworks) vulnerable to a >>>> "malicious pickle" attack (if the attacker knows the secret key) when >>>> cookies are used (which can lead to remote code execution). >>>> Now, of course, the secret key is - as its name says - meant to be kept >>>> secret and to be changed for every deployment, and the vulnerabilities >>>> in the pickle protocol are also mentioned in the Python docs. >>>> So, "normal" applications should be safe - as long as there is no >>>> possibility for arbitrary file access. >>>> Though, brute-force decrypting the cookie, looking for something that >>>> looks like pickle'd data could be possible. >>>> >>>> But, as an easy solution is to just use beaker.session.type = file >>>> instead of cookie, I think it could be worth either discussing changing >>>> the default or at least mentioning this explicitly in a red box in the >>>> documentation. ;) >>>> - Especially since it also applies to apps that do not actively use >>>> tg.session - since the session gets depickled anyways (and it such >>>> cases, a developer might think that he doesn't need to care about the >>>> secret key at all!). >>>> >>>> The vulnerabilities are described here: >>>> http://vudang.com/2013/01/**python-web-framework-from-lfr-**to-rce/<http://vudang.com/2013/01/python-web-framework-from-lfr-to-rce/>and >>>> a >>>> PoC for an exploit, that can be used is available here: >>>> https://github.com/danghvu/pwp >>>> >>>> Regards, >>>> Moritz >>>> >>>> -- >>>> Moritz Schlarb >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "TurboGears" group. >>>> To post to this group, send email to [email protected]. >>>> To unsubscribe from this group, send email to turbogears+...@** >>>> googlegroups.com. >>>> >>>> Visit this group at >>>> http://groups.google.com/**group/turbogears?hl=en<http://groups.google.com/group/turbogears?hl=en> >>>> . >>>> For more options, visit >>>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>>> . >>>> >>>> >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "TurboGears" group. >> To post to this group, send email to [email protected]<javascript:> >> . >> To unsubscribe from this group, send email to >> [email protected] <javascript:>. >> Visit this group at http://groups.google.com/group/turbogears?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/turbogears?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
