From 1d2b4fd13edc972dd4076500b1ec4cb972bef1c9 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Mon, 4 Nov 2019 16:59:41 -0500 Subject: deprecate PickleSerializer --- docs/narr/sessions.rst | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'docs') diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index c2cc60de8..413dc5b8e 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -91,26 +91,32 @@ Remember that sessions should be short-lived and thus the number of clients affe .. code-block:: python :linenos: + import pickle from pyramid.session import JSONSerializer - from pyramid.session import PickleSerializer from pyramid.session import SignedCookieSessionFactory + class JSONSerializerWithPickleFallback(object): def __init__(self): self.json = JSONSerializer() - self.pickle = PickleSerializer() - def dumps(self, value): + def dumps(self, appstruct): + """Accept a Python object and return bytes.""" # maybe catch serialization errors here and keep using pickle # while finding spots in your app that are not storing # JSON-serializable objects, falling back to pickle - return self.json.dumps(value) + return self.json.dumps(appstruct) - def loads(self, value): + def loads(self, bstruct): + """Accept bytes and return a Python object.""" try: - return self.json.loads(value) + return self.json.loads(bstruct) except ValueError: - return self.pickle.loads(value) + try: + return pickle.loads(bstruct) + # at least ValueError, AttributeError, ImportError but more to be safe + except Exception: + raise ValueError # somewhere in your configuration code serializer = JSONSerializerWithPickleFallback() -- cgit v1.2.3 From 9264004c92adf731cd8164a63e199558ffdd2751 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Mon, 4 Nov 2019 17:45:44 -0500 Subject: changes based on feedback --- docs/narr/sessions.rst | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index 413dc5b8e..d9befec82 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -101,10 +101,14 @@ Remember that sessions should be short-lived and thus the number of clients affe self.json = JSONSerializer() def dumps(self, appstruct): - """Accept a Python object and return bytes.""" - # maybe catch serialization errors here and keep using pickle - # while finding spots in your app that are not storing - # JSON-serializable objects, falling back to pickle + """ + Accept a Python object and return bytes. + + During a migration, you may want to catch serialization errors here, + and keep using pickle while finding spots in your app that are not + storing JSON-serializable objects. You may also want to integrate + a fall-back to picke serialization here as well. + """ return self.json.dumps(appstruct) def loads(self, bstruct): @@ -114,8 +118,9 @@ Remember that sessions should be short-lived and thus the number of clients affe except ValueError: try: return pickle.loads(bstruct) - # at least ValueError, AttributeError, ImportError but more to be safe except Exception: + # this block should catch at least: + # ValueError, AttributeError, ImportError; but more to be safe raise ValueError # somewhere in your configuration code -- cgit v1.2.3 From 3bc31c66c41f795abdaa270645f1046f70a86e07 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Mon, 4 Nov 2019 17:56:27 -0500 Subject: fixed rst; migrated some inline references to the docs --- docs/narr/sessions.rst | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs') diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index d9befec82..8ae20d63e 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -85,6 +85,12 @@ This is a stricter contract than the previous requirement that all objects be pi This is a backward-incompatible change. Previously, if a client-side session implementation was compromised, it left the application vulnerable to remote code execution attacks using specially-crafted sessions that execute code when deserialized. +Please reference the following tickets if detailed information on these changes is needed: + +* `2.0 feature request: Require that sessions are JSON serializable #2709 `_. +* `deprecate pickleable sessions, recommend json #3353 `_. +* `change to use JSONSerializer for SignedCookieSessionFactory #3413 `_. + For users with compatibility concerns, it's possible to craft a serializer that can handle both formats until you are satisfied that clients have had time to reasonably upgrade. Remember that sessions should be short-lived and thus the number of clients affected should be small (no longer than an auth token, at a maximum). An example serializer: -- cgit v1.2.3 From 24c19c8780379c77dc1cf5567d8cf18009d4d780 Mon Sep 17 00:00:00 2001 From: jonathan vanasco Date: Tue, 5 Nov 2019 11:42:08 -0500 Subject: typo and tabs --- docs/narr/sessions.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index 8ae20d63e..2da524d4c 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -113,7 +113,7 @@ Remember that sessions should be short-lived and thus the number of clients affe During a migration, you may want to catch serialization errors here, and keep using pickle while finding spots in your app that are not storing JSON-serializable objects. You may also want to integrate - a fall-back to picke serialization here as well. + a fall-back to pickle serialization here as well. """ return self.json.dumps(appstruct) @@ -125,8 +125,8 @@ Remember that sessions should be short-lived and thus the number of clients affe try: return pickle.loads(bstruct) except Exception: - # this block should catch at least: - # ValueError, AttributeError, ImportError; but more to be safe + # this block should catch at least: + # ValueError, AttributeError, ImportError; but more to be safe raise ValueError # somewhere in your configuration code -- cgit v1.2.3 From 150fff0ffcf86aabf551b17cdd75e9aa5ff55fb4 Mon Sep 17 00:00:00 2001 From: Jan Likar Date: Thu, 7 Nov 2019 05:52:56 +0100 Subject: Fix a typo in a class reference --- docs/whatsnew-2.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/whatsnew-2.0.rst b/docs/whatsnew-2.0.rst index bf1554a27..ec506894e 100644 --- a/docs/whatsnew-2.0.rst +++ b/docs/whatsnew-2.0.rst @@ -56,7 +56,7 @@ flexibility in authorization implementations, especially those that do not match the ACL pattern. If you were previously using :class:`pyramid.authorization.ACLAuthorizationPolicy`, you can achieve the same results by writing your own ``permits`` method using -:class:`pyraid.authorization.ACLHelper`. For more details on implementing an +:class:`pyramid.authorization.ACLHelper`. For more details on implementing an ACL, see :ref:`assigning_acls`. Pyramid does not provide any built-in security policies. Similiar -- cgit v1.2.3 From 9ffdc7c9270ca9ef25ed01495e5f210db9d37710 Mon Sep 17 00:00:00 2001 From: Andrea Borghi Date: Mon, 11 Nov 2019 14:18:35 +0100 Subject: ZopeTransactionExtension is not valid anymore, replace with zope.sqlalchemy.register The new version of zope.sqlalchemy does not provide ZopeTransactionExtension anymore. As stated in (this official PR)[https://github.com/zopefoundation/zope.sqlalchemy/pull/38] --- docs/quick_tutorial/databases/tutorial/models.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/quick_tutorial/databases/tutorial/models.py b/docs/quick_tutorial/databases/tutorial/models.py index b27c38417..2d70e0db6 100644 --- a/docs/quick_tutorial/databases/tutorial/models.py +++ b/docs/quick_tutorial/databases/tutorial/models.py @@ -13,10 +13,10 @@ from sqlalchemy.orm import ( sessionmaker, ) -from zope.sqlalchemy import ZopeTransactionExtension +from zope.sqlalchemy import register -DBSession = scoped_session( - sessionmaker(extension=ZopeTransactionExtension())) +DBSession = scoped_session(sessionmaker(autoflush=False)) +register(DBSession) Base = declarative_base() @@ -32,4 +32,4 @@ class Root(object): (Allow, 'group:editors', 'edit')] def __init__(self, request): - pass \ No newline at end of file + pass -- cgit v1.2.3 From 418e64eb644f7a850ec87002ec8c875eb8b1b843 Mon Sep 17 00:00:00 2001 From: Andrea Borghi Date: Mon, 11 Nov 2019 14:55:32 +0100 Subject: remove autoflush=False autoflush is necessary for the current implementation views.py --- docs/quick_tutorial/databases/tutorial/models.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/quick_tutorial/databases/tutorial/models.py b/docs/quick_tutorial/databases/tutorial/models.py index 2d70e0db6..8e6649d49 100644 --- a/docs/quick_tutorial/databases/tutorial/models.py +++ b/docs/quick_tutorial/databases/tutorial/models.py @@ -15,7 +15,7 @@ from sqlalchemy.orm import ( from zope.sqlalchemy import register -DBSession = scoped_session(sessionmaker(autoflush=False)) +DBSession = scoped_session(sessionmaker()) register(DBSession) Base = declarative_base() -- cgit v1.2.3 From e6526f599bf4c98f9d7524f05203ee839b1b6c0a Mon Sep 17 00:00:00 2001 From: Behzod Saidov Date: Mon, 9 Dec 2019 14:29:57 -0800 Subject: Fixed typo. Remove extra $. --- docs/quick_tutorial/json.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/quick_tutorial/json.rst b/docs/quick_tutorial/json.rst index 44d1de8cb..19d346199 100644 --- a/docs/quick_tutorial/json.rst +++ b/docs/quick_tutorial/json.rst @@ -63,7 +63,7 @@ Steps .. code-block:: bash - $ $VENV/bin/pserve development.ini --reload + $VENV/bin/pserve development.ini --reload #. Open http://localhost:6543/howdy.json in your browser and you will see the resulting JSON response. -- cgit v1.2.3 From 70abeebc3d1d075eb5846f670ddaf9e4eed9e61d Mon Sep 17 00:00:00 2001 From: Behzod Saidov Date: Mon, 9 Dec 2019 14:39:51 -0800 Subject: view_classes.rst doc: "classes" -> "functions" --- docs/quick_tutorial/view_classes.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/quick_tutorial/view_classes.rst b/docs/quick_tutorial/view_classes.rst index 1307857b7..c9f61f5a3 100644 --- a/docs/quick_tutorial/view_classes.rst +++ b/docs/quick_tutorial/view_classes.rst @@ -78,7 +78,7 @@ To ease the transition to view classes, we didn't introduce any new functionality. We simply changed the view functions to methods on a view class, then updated the tests. -In our ``TutorialViews`` view class, you can see that our two view classes are +In our ``TutorialViews`` view class, you can see that our two view functions are logically grouped together as methods on a common class. Since the two views shared the same template, we could move that to a ``@view_defaults`` decorator at the class level. -- cgit v1.2.3