1
0
mirror of https://github.com/django/django.git synced 2025-01-05 07:55:47 +00:00

Refs #29708 -- Removed PickleSerializer per deprecation timeline.

This commit is contained in:
Mariusz Felisiak 2023-01-12 14:43:48 +01:00
parent 23c8787439
commit b119f4329c
6 changed files with 5 additions and 107 deletions

View File

@ -1,6 +1,3 @@
# RemovedInDjango50Warning.
from django.core.serializers.base import PickleSerializer as BasePickleSerializer
from django.core.signing import JSONSerializer as BaseJSONSerializer from django.core.signing import JSONSerializer as BaseJSONSerializer
JSONSerializer = BaseJSONSerializer JSONSerializer = BaseJSONSerializer
PickleSerializer = BasePickleSerializer

View File

@ -1,38 +1,14 @@
""" """
Module for abstract serializer/unserializer base classes. Module for abstract serializer/unserializer base classes.
""" """
import pickle
import warnings
from io import StringIO from io import StringIO
from django.core.exceptions import ObjectDoesNotExist from django.core.exceptions import ObjectDoesNotExist
from django.db import models from django.db import models
from django.utils.deprecation import RemovedInDjango50Warning
DEFER_FIELD = object() DEFER_FIELD = object()
class PickleSerializer:
"""
Simple wrapper around pickle to be used in signing.dumps()/loads() and
cache backends.
"""
def __init__(self, protocol=None):
warnings.warn(
"PickleSerializer is deprecated due to its security risk. Use "
"JSONSerializer instead.",
RemovedInDjango50Warning,
)
self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
def dumps(self, obj):
return pickle.dumps(obj, self.protocol)
def loads(self, data):
return pickle.loads(data)
class SerializerDoesNotExist(KeyError): class SerializerDoesNotExist(KeyError):
"""The requested serializer was not found.""" """The requested serializer was not found."""

View File

@ -317,3 +317,5 @@ to remove usage of these features.
* The undocumented ability to pass ``errors=None`` to * The undocumented ability to pass ``errors=None`` to
``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` is removed. ``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` is removed.
* ``django.contrib.sessions.serializers.PickleSerializer`` is removed.

View File

@ -122,20 +122,6 @@ and the :setting:`SECRET_KEY` setting.
.. warning:: .. warning::
**If the** ``SECRET_KEY`` **or** ``SECRET_KEY_FALLBACKS`` **are not kept
secret and you are using the**
``django.contrib.sessions.serializers.PickleSerializer``, **this can lead
to arbitrary remote code execution.**
An attacker in possession of the :setting:`SECRET_KEY` or
:setting:`SECRET_KEY_FALLBACKS` can not only generate falsified session
data, which your site will trust, but also remotely execute arbitrary code,
as the data is serialized using pickle.
If you use cookie-based sessions, pay extra care that your secret key is
always kept completely secret, for any system which might be remotely
accessible.
**The session data is signed but not encrypted** **The session data is signed but not encrypted**
When using the cookies backend the session data can be read by the client. When using the cookies backend the session data can be read by the client.
@ -373,17 +359,6 @@ Bundled serializers
See the :ref:`custom-serializers` section for more details on limitations See the :ref:`custom-serializers` section for more details on limitations
of JSON serialization. of JSON serialization.
.. class:: serializers.PickleSerializer
Supports arbitrary Python objects, but, as described above, can lead to a
remote code execution vulnerability if :setting:`SECRET_KEY` or any key of
:setting:`SECRET_KEY_FALLBACKS` becomes known by an attacker.
.. deprecated:: 4.1
Due to the risk of remote code execution, this serializer is deprecated
and will be removed in Django 5.0.
.. _custom-serializers: .. _custom-serializers:
Write your own serializer Write your own serializer

View File

@ -1,11 +1,9 @@
from operator import attrgetter from operator import attrgetter
from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes.models import ContentType
from django.contrib.sessions.backends.db import SessionStore
from django.db import models from django.db import models
from django.db.models import Count from django.db.models import Count
from django.test import TestCase, ignore_warnings, override_settings from django.test import TestCase
from django.utils.deprecation import RemovedInDjango50Warning
from .models import ( from .models import (
Base, Base,
@ -106,29 +104,6 @@ class DeferRegressionTest(TestCase):
list(SimpleItem.objects.annotate(Count("feature")).only("name")), list list(SimpleItem.objects.annotate(Count("feature")).only("name")), list
) )
@ignore_warnings(category=RemovedInDjango50Warning)
@override_settings(
SESSION_SERIALIZER="django.contrib.sessions.serializers.PickleSerializer"
)
def test_ticket_12163(self):
# Test for #12163 - Pickling error saving session with unsaved model
# instances.
SESSION_KEY = "2b1189a188b44ad18c35e1baac6ceead"
item = Item()
item._deferred = False
s = SessionStore(SESSION_KEY)
s.clear()
s["item"] = item
s.save(must_create=True)
s = SessionStore(SESSION_KEY)
s.modified = True
s.save()
i2 = s["item"]
self.assertFalse(i2._deferred)
def test_ticket_16409(self): def test_ticket_16409(self):
# Regression for #16409 - make sure defer() and only() work with annotate() # Regression for #16409 - make sure defer() and only() work with annotate()
self.assertIsInstance( self.assertIsInstance(

View File

@ -1,4 +1,3 @@
import pickle
from datetime import datetime from datetime import datetime
from functools import partialmethod from functools import partialmethod
from io import StringIO from io import StringIO
@ -6,12 +5,11 @@ from unittest import mock, skipIf
from django.core import serializers from django.core import serializers
from django.core.serializers import SerializerDoesNotExist from django.core.serializers import SerializerDoesNotExist
from django.core.serializers.base import PickleSerializer, ProgressBar from django.core.serializers.base import ProgressBar
from django.db import connection, transaction from django.db import connection, transaction
from django.http import HttpResponse from django.http import HttpResponse
from django.test import SimpleTestCase, override_settings, skipUnlessDBFeature from django.test import SimpleTestCase, override_settings, skipUnlessDBFeature
from django.test.utils import Approximate, ignore_warnings from django.test.utils import Approximate
from django.utils.deprecation import RemovedInDjango50Warning
from .models import ( from .models import (
Actor, Actor,
@ -487,31 +485,6 @@ class SerializersTransactionTestBase:
self.assertEqual(art_obj.author.name, "Agnes") self.assertEqual(art_obj.author.name, "Agnes")
class PickleSerializerTests(SimpleTestCase):
@ignore_warnings(category=RemovedInDjango50Warning)
def test_serializer_protocol(self):
serializer = PickleSerializer(protocol=3)
self.assertEqual(serializer.protocol, 3)
# If protocol is not provided, it defaults to pickle.HIGHEST_PROTOCOL
serializer = PickleSerializer()
self.assertEqual(serializer.protocol, pickle.HIGHEST_PROTOCOL)
@ignore_warnings(category=RemovedInDjango50Warning)
def test_serializer_loads_dumps(self):
serializer = PickleSerializer()
test_data = "test data"
dump = serializer.dumps(test_data)
self.assertEqual(serializer.loads(dump), test_data)
def test_serializer_warning(self):
msg = (
"PickleSerializer is deprecated due to its security risk. Use "
"JSONSerializer instead."
)
with self.assertRaisesMessage(RemovedInDjango50Warning, msg):
PickleSerializer()
def register_tests(test_class, method_name, test_func, exclude=()): def register_tests(test_class, method_name, test_func, exclude=()):
""" """
Dynamically create serializer tests to ensure that all registered Dynamically create serializer tests to ensure that all registered