From 1d2b4fd13edc972dd4076500b1ec4cb972bef1c9 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Mon, 4 Nov 2019 16:59:41 -0500 Subject: deprecate PickleSerializer --- CHANGES.rst | 2 ++ docs/narr/sessions.rst | 20 +++++++++++++------- src/pyramid/session.py | 20 +++++++++++++++++--- tests/test_session.py | 4 ++++ 4 files changed, 36 insertions(+), 10 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 987d5c3d4..b70e8f4f8 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -4,6 +4,8 @@ unreleased Features -------- +- Deprecated ``pyramid.session.PickleSerializer``. + - Changed the default ``serializer`` on ``pyramid.session.SignedCookieSessionFactory`` to use ``pyramid.session.JSONSerializer`` instead of diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index c2cc60de8..413dc5b8e 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -91,26 +91,32 @@ Remember that sessions should be short-lived and thus the number of clients affe .. code-block:: python :linenos: + import pickle from pyramid.session import JSONSerializer - from pyramid.session import PickleSerializer from pyramid.session import SignedCookieSessionFactory + class JSONSerializerWithPickleFallback(object): def __init__(self): self.json = JSONSerializer() - self.pickle = PickleSerializer() - def dumps(self, value): + def dumps(self, appstruct): + """Accept a Python object and return bytes.""" # maybe catch serialization errors here and keep using pickle # while finding spots in your app that are not storing # JSON-serializable objects, falling back to pickle - return self.json.dumps(value) + return self.json.dumps(appstruct) - def loads(self, value): + def loads(self, bstruct): + """Accept bytes and return a Python object.""" try: - return self.json.loads(value) + return self.json.loads(bstruct) except ValueError: - return self.pickle.loads(value) + try: + return pickle.loads(bstruct) + # at least ValueError, AttributeError, ImportError but more to be safe + except Exception: + raise ValueError # somewhere in your configuration code serializer = JSONSerializerWithPickleFallback() diff --git a/src/pyramid/session.py b/src/pyramid/session.py index 70ac4f55f..adfe28a39 100644 --- a/src/pyramid/session.py +++ b/src/pyramid/session.py @@ -44,10 +44,24 @@ def manage_changed(wrapped): class PickleSerializer(object): - """ A serializer that uses the pickle protocol to dump Python - data to bytes. + """ + .. deprecated:: 2.0 + + .. warning:: + + In :app:`Pyramid` 2.0 the default ``serializer`` option changed to + use :class:`pyramid.session.JSONSerializer`, and ``PickleSerializer` + has been been removed from active Pyramid code. + + Pyramid will require JSON-serializable objects in :app:`Pyramid` 2.0. + + Please see :ref:`pickle_session_deprecation`. + + Also, please see: #2709, #3353, #3413 + + A serializer that uses the pickle protocol to dump Python data to bytes. - This is the default serializer used by Pyramid. + This was the default serializer used by Pyramid, but has been deprecated. ``protocol`` may be specified to control the version of pickle used. Defaults to :attr:`pickle.HIGHEST_PROTOCOL`. diff --git a/tests/test_session.py b/tests/test_session.py index 8e5e82bb2..582a7ed4a 100644 --- a/tests/test_session.py +++ b/tests/test_session.py @@ -564,6 +564,10 @@ class Test_manage_changed(unittest.TestCase): class TestPickleSerializer(unittest.TestCase): + """ + .. deprecated:: 2.0 + """ + def _makeOne(self): from pyramid.session import PickleSerializer -- cgit v1.2.3 From 9264004c92adf731cd8164a63e199558ffdd2751 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Mon, 4 Nov 2019 17:45:44 -0500 Subject: changes based on feedback --- docs/narr/sessions.rst | 15 ++++++++++----- src/pyramid/session.py | 32 +++++++++++++++++++++----------- 2 files changed, 31 insertions(+), 16 deletions(-) diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index 413dc5b8e..d9befec82 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -101,10 +101,14 @@ Remember that sessions should be short-lived and thus the number of clients affe self.json = JSONSerializer() def dumps(self, appstruct): - """Accept a Python object and return bytes.""" - # maybe catch serialization errors here and keep using pickle - # while finding spots in your app that are not storing - # JSON-serializable objects, falling back to pickle + """ + Accept a Python object and return bytes. + + During a migration, you may want to catch serialization errors here, + and keep using pickle while finding spots in your app that are not + storing JSON-serializable objects. You may also want to integrate + a fall-back to picke serialization here as well. + """ return self.json.dumps(appstruct) def loads(self, bstruct): @@ -114,8 +118,9 @@ Remember that sessions should be short-lived and thus the number of clients affe except ValueError: try: return pickle.loads(bstruct) - # at least ValueError, AttributeError, ImportError but more to be safe except Exception: + # this block should catch at least: + # ValueError, AttributeError, ImportError; but more to be safe raise ValueError # somewhere in your configuration code diff --git a/src/pyramid/session.py b/src/pyramid/session.py index adfe28a39..efac52140 100644 --- a/src/pyramid/session.py +++ b/src/pyramid/session.py @@ -49,15 +49,24 @@ class PickleSerializer(object): .. warning:: - In :app:`Pyramid` 2.0 the default ``serializer`` option changed to - use :class:`pyramid.session.JSONSerializer`, and ``PickleSerializer` - has been been removed from active Pyramid code. + In :app:`Pyramid` 2.0 the default ``serializer`` option changed to + use :class:`pyramid.session.JSONSerializer`, and ``PickleSerializer` + has been been removed from active Pyramid code. - Pyramid will require JSON-serializable objects in :app:`Pyramid` 2.0. + Pyramid will require JSON-serializable objects in :app:`Pyramid` 2.0. - Please see :ref:`pickle_session_deprecation`. + Please see :ref:`pickle_session_deprecation`. - Also, please see: #2709, #3353, #3413 + Also, please see these tickets: + + * 2.0 feature request: Require that sessions are JSON serializable #2709 + https://github.com/pylons/pyramid/issues/2709 + + * deprecate pickleable sessions, recommend json #3353 + https://github.com/Pylons/pyramid/pull/3353 + + * change to use JSONSerializer for SignedCookieSessionFactory #3413 + https://github.com/Pylons/pyramid/pull/3413 A serializer that uses the pickle protocol to dump Python data to bytes. @@ -75,8 +84,9 @@ class PickleSerializer(object): """Accept bytes and return a Python object.""" try: return pickle.loads(bstruct) - # at least ValueError, AttributeError, ImportError but more to be safe except Exception: + # this block should catch at least: + # ValueError, AttributeError, ImportError; but more to be safe raise ValueError def dumps(self, appstruct): @@ -452,10 +462,10 @@ def SignedCookieSessionFactory( .. warning:: - In :app:`Pyramid` 2.0 the default ``serializer`` option changed to - use :class:`pyramid.session.JSONSerializer`. See - :ref:`pickle_session_deprecation` for more information about why this - change was made. + In :app:`Pyramid` 2.0 the default ``serializer`` option changed to + use :class:`pyramid.session.JSONSerializer`. See + :ref:`pickle_session_deprecation` for more information about why this + change was made. .. versionadded: 1.5a3 -- cgit v1.2.3 From b6604fc39e542a78bc6cb4f009bf972ba4db098f Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Mon, 4 Nov 2019 17:47:03 -0500 Subject: updated docstring issuet --- src/pyramid/session.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/pyramid/session.py b/src/pyramid/session.py index efac52140..d317b7c48 100644 --- a/src/pyramid/session.py +++ b/src/pyramid/session.py @@ -50,7 +50,7 @@ class PickleSerializer(object): .. warning:: In :app:`Pyramid` 2.0 the default ``serializer`` option changed to - use :class:`pyramid.session.JSONSerializer`, and ``PickleSerializer` + use :class:`pyramid.session.JSONSerializer`, and ``PickleSerializer`` has been been removed from active Pyramid code. Pyramid will require JSON-serializable objects in :app:`Pyramid` 2.0. @@ -74,7 +74,6 @@ class PickleSerializer(object): ``protocol`` may be specified to control the version of pickle used. Defaults to :attr:`pickle.HIGHEST_PROTOCOL`. - """ def __init__(self, protocol=pickle.HIGHEST_PROTOCOL): -- cgit v1.2.3 From 3bc31c66c41f795abdaa270645f1046f70a86e07 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Mon, 4 Nov 2019 17:56:27 -0500 Subject: fixed rst; migrated some inline references to the docs --- docs/narr/sessions.rst | 6 ++++++ src/pyramid/session.py | 11 ----------- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index d9befec82..8ae20d63e 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -85,6 +85,12 @@ This is a stricter contract than the previous requirement that all objects be pi This is a backward-incompatible change. Previously, if a client-side session implementation was compromised, it left the application vulnerable to remote code execution attacks using specially-crafted sessions that execute code when deserialized. +Please reference the following tickets if detailed information on these changes is needed: + +* `2.0 feature request: Require that sessions are JSON serializable #2709 `_. +* `deprecate pickleable sessions, recommend json #3353 `_. +* `change to use JSONSerializer for SignedCookieSessionFactory #3413 `_. + For users with compatibility concerns, it's possible to craft a serializer that can handle both formats until you are satisfied that clients have had time to reasonably upgrade. Remember that sessions should be short-lived and thus the number of clients affected should be small (no longer than an auth token, at a maximum). An example serializer: diff --git a/src/pyramid/session.py b/src/pyramid/session.py index d317b7c48..ededdaab7 100644 --- a/src/pyramid/session.py +++ b/src/pyramid/session.py @@ -57,17 +57,6 @@ class PickleSerializer(object): Please see :ref:`pickle_session_deprecation`. - Also, please see these tickets: - - * 2.0 feature request: Require that sessions are JSON serializable #2709 - https://github.com/pylons/pyramid/issues/2709 - - * deprecate pickleable sessions, recommend json #3353 - https://github.com/Pylons/pyramid/pull/3353 - - * change to use JSONSerializer for SignedCookieSessionFactory #3413 - https://github.com/Pylons/pyramid/pull/3413 - A serializer that uses the pickle protocol to dump Python data to bytes. This was the default serializer used by Pyramid, but has been deprecated. -- cgit v1.2.3 From 24c19c8780379c77dc1cf5567d8cf18009d4d780 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Tue, 5 Nov 2019 11:42:08 -0500 Subject: typo and tabs --- docs/narr/sessions.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index 8ae20d63e..2da524d4c 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -113,7 +113,7 @@ Remember that sessions should be short-lived and thus the number of clients affe During a migration, you may want to catch serialization errors here, and keep using pickle while finding spots in your app that are not storing JSON-serializable objects. You may also want to integrate - a fall-back to picke serialization here as well. + a fall-back to pickle serialization here as well. """ return self.json.dumps(appstruct) @@ -125,8 +125,8 @@ Remember that sessions should be short-lived and thus the number of clients affe try: return pickle.loads(bstruct) except Exception: - # this block should catch at least: - # ValueError, AttributeError, ImportError; but more to be safe + # this block should catch at least: + # ValueError, AttributeError, ImportError; but more to be safe raise ValueError # somewhere in your configuration code -- cgit v1.2.3 From d118466861373a80494dd343fe950b0d87ecda51 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Tue, 5 Nov 2019 13:45:49 -0500 Subject: updated changes signed main repo contributors --- CHANGES.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES.rst b/CHANGES.rst index b70e8f4f8..537ca4671 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -5,6 +5,9 @@ Features -------- - Deprecated ``pyramid.session.PickleSerializer``. + See https://github.com/pylons/pyramid/issues/2709 + and https://github.com/pylons/pyramid/pull/3353 + and https://github.com/pylons/pyramid/pull/3413 - Changed the default ``serializer`` on ``pyramid.session.SignedCookieSessionFactory`` to use -- cgit v1.2.3 From 5a77d1dc082d0f2cedc7320616f2d96f61a3ed9c Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Tue, 5 Nov 2019 17:04:11 -0500 Subject: invoke `deprecated()` --- src/pyramid/session.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/pyramid/session.py b/src/pyramid/session.py index ededdaab7..10e1ea313 100644 --- a/src/pyramid/session.py +++ b/src/pyramid/session.py @@ -82,6 +82,14 @@ class PickleSerializer(object): return pickle.dumps(appstruct, self.protocol) +deprecated( + 'PickleSerializer', + 'pyramid.session.PickleSerializer is deprecated as of Pyramid 2.0 for ' + 'security concerns. Use pyramid.session.JSONSerializer or reference the ' + 'narrative documentation for information on building a migration tool.', +) + + JSONSerializer = JSONSerializer # api -- cgit v1.2.3