Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning

This commit is contained in:
Erik Romijn 2013-05-18 16:35:39 +02:00 committed by Aymeric Augustin
parent 3634948c88
commit d5ce2ff5e4
1 changed files with 11 additions and 0 deletions

View File

@ -125,6 +125,17 @@ and the :setting:`SECRET_KEY` setting.
.. warning:: .. warning::
**If the :setting:`SECRET_KEY` is not kept secret, this can lead to
arbitrary remote code execution.**
An attacker in possession of the :setting:`SECRET_KEY` can not only
generate falsified session data, which your site will trust, but also
remotely execute arbitrary code, as the data is serialized using pickle.
If you use cookie-based sessions, pay extra care that your secret key is
always kept completely secret, for any system which might be remotely
accessible.
**The session data is signed but not encrypted** **The session data is signed but not encrypted**
When using the cookies backend the session data can be read by the client. When using the cookies backend the session data can be read by the client.