diff options
| -rw-r--r-- | CHANGES.rst | 9 | ||||
| -rw-r--r-- | docs/api/session.rst | 6 | ||||
| -rw-r--r-- | pyramid/session.py | 29 |
3 files changed, 38 insertions, 6 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index 92e1e4313..97a38591c 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -90,6 +90,15 @@ Deprecations of the documentation for more information about this change. See https://github.com/Pylons/pyramid/pull/3353 +- The ``pyramid.session.signed_serialize`` and + ``pyramid.session.signed_deserialize`` functions will be removed in Pyramid + 2.0, along with the removal of + ``pyramid.session.UnencryptedCookieSessionFactoryConfig`` which was + deprecated in Pyramid 1.5. Please switch to using the + ``SignedCookieSessionFactory``, copying the code, or another session + implementation if you're still using these features. + See https://github.com/Pylons/pyramid/pull/3353 + Backward Incompatibilities -------------------------- diff --git a/docs/api/session.rst b/docs/api/session.rst index e0d2db726..d0cb112ec 100644 --- a/docs/api/session.rst +++ b/docs/api/session.rst @@ -5,14 +5,8 @@ .. automodule:: pyramid.session - .. autofunction:: signed_serialize - - .. autofunction:: signed_deserialize - .. autofunction:: SignedCookieSessionFactory - .. autofunction:: UnencryptedCookieSessionFactoryConfig - .. autofunction:: BaseCookieSessionFactory .. autoclass:: PickleSerializer diff --git a/pyramid/session.py b/pyramid/session.py index 3caf4181a..b953fa184 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -64,6 +64,14 @@ def signed_serialize(data, secret): cookieval = signed_serialize({'a':1}, 'secret') response.set_cookie('signed_cookie', cookieval) + + .. deprecated:: 1.10 + + This function will be removed in :app:`Pyramid` 2.0. It is using + pickle-based serialization, which is considered vulnerable to remote + code execution attacks and will no longer be used by the default + session factories at that time. + """ pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) try: @@ -74,6 +82,13 @@ def signed_serialize(data, secret): sig = hmac.new(secret, pickled, hashlib.sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) +deprecated( + 'signed_serialize', + 'This function will be removed in Pyramid 2.0. It is using pickle-based ' + 'serialization, which is considered vulnerable to remote code execution ' + 'attacks.', +) + def signed_deserialize(serialized, secret, hmac=hmac): """ Deserialize the value returned from ``signed_serialize``. If the value cannot be deserialized for any reason, a @@ -86,6 +101,13 @@ def signed_deserialize(serialized, secret, hmac=hmac): cookieval = request.cookies['signed_cookie'] data = signed_deserialize(cookieval, 'secret') + + .. deprecated:: 1.10 + + This function will be removed in :app:`Pyramid` 2.0. It is using + pickle-based serialization, which is considered vulnerable to remote + code execution attacks and will no longer be used by the default + session factories at that time. """ # hmac parameterized only for unit tests try: @@ -109,6 +131,13 @@ def signed_deserialize(serialized, secret, hmac=hmac): return pickle.loads(pickled) +deprecated( + 'signed_deserialize', + 'This function will be removed in Pyramid 2.0. It is using pickle-based ' + 'serialization, which is considered vulnerable to remote code execution ' + 'attacks.', +) + class PickleSerializer(object): """ A serializer that uses the pickle protocol to dump Python |