Refs #29708 -- Removed PickleSerializer per deprecation timeline.

2025-01-03 15:06:09 +00:00 · 2023-01-12 14:43:48 +01:00 · 2023-01-12 14:43:48 +01:00 · b119f4329c
commit b119f4329c
parent 23c8787439
6 changed files with 5 additions and 107 deletions
--- a/django/contrib/sessions/serializers.py
+++ b/django/contrib/sessions/serializers.py
@ -1,6 +1,3 @@
-# RemovedInDjango50Warning.
-from django.core.serializers.base import PickleSerializer as BasePickleSerializer
 from django.core.signing import JSONSerializer as BaseJSONSerializer

 JSONSerializer = BaseJSONSerializer
-PickleSerializer = BasePickleSerializer
--- a/django/core/serializers/base.py
+++ b/django/core/serializers/base.py
@ -1,38 +1,14 @@
 """
 Module for abstract serializer/unserializer base classes.
 """
-import pickle
-import warnings
 from io import StringIO

 from django.core.exceptions import ObjectDoesNotExist
 from django.db import models
-from django.utils.deprecation import RemovedInDjango50Warning

 DEFER_FIELD = object()


-class PickleSerializer:
-    """
-    Simple wrapper around pickle to be used in signing.dumps()/loads() and
-    cache backends.
-    """
-
-    def __init__(self, protocol=None):
-        warnings.warn(
-            "PickleSerializer is deprecated due to its security risk. Use "
-            "JSONSerializer instead.",
-            RemovedInDjango50Warning,
-        )
-        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
-
-    def dumps(self, obj):
-        return pickle.dumps(obj, self.protocol)
-
-    def loads(self, data):
-        return pickle.loads(data)
-
-
 class SerializerDoesNotExist(KeyError):
    """The requested serializer was not found."""

--- a/docs/releases/5.0.txt
+++ b/docs/releases/5.0.txt
@ -317,3 +317,5 @@ to remove usage of these features.

 * The undocumented ability to pass ``errors=None`` to
  ``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` is removed.
+
+* ``django.contrib.sessions.serializers.PickleSerializer`` is removed.
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@ -122,20 +122,6 @@ and the :setting:`SECRET_KEY` setting.

 .. warning::

-    **If the** ``SECRET_KEY`` **or** ``SECRET_KEY_FALLBACKS`` **are not kept
-    secret and you are using the**
-    ``django.contrib.sessions.serializers.PickleSerializer``, **this can lead
-    to arbitrary remote code execution.**
-
-    An attacker in possession of the :setting:`SECRET_KEY` or
-    :setting:`SECRET_KEY_FALLBACKS` can not only generate falsified session
-    data, which your site will trust, but also remotely execute arbitrary code,
-    as the data is serialized using pickle.
-
-    If you use cookie-based sessions, pay extra care that your secret key is
-    always kept completely secret, for any system which might be remotely
-    accessible.
-
    **The session data is signed but not encrypted**

    When using the cookies backend the session data can be read by the client.
@ -373,17 +359,6 @@ Bundled serializers
    See the :ref:`custom-serializers` section for more details on limitations
    of JSON serialization.

-.. class:: serializers.PickleSerializer
-
-    Supports arbitrary Python objects, but, as described above, can lead to a
-    remote code execution vulnerability if :setting:`SECRET_KEY` or any key of
-    :setting:`SECRET_KEY_FALLBACKS` becomes known by an attacker.
-
-    .. deprecated:: 4.1
-
-        Due to the risk of remote code execution, this serializer is deprecated
-        and will be removed in Django 5.0.
-
 .. _custom-serializers:

 Write your own serializer
--- a/tests/defer_regress/tests.py
+++ b/tests/defer_regress/tests.py
@ -1,11 +1,9 @@
 from operator import attrgetter

 from django.contrib.contenttypes.models import ContentType
-from django.contrib.sessions.backends.db import SessionStore
 from django.db import models
 from django.db.models import Count
-from django.test import TestCase, ignore_warnings, override_settings
-from django.utils.deprecation import RemovedInDjango50Warning
+from django.test import TestCase

 from .models import (
    Base,
@ -106,29 +104,6 @@ class DeferRegressionTest(TestCase):
            list(SimpleItem.objects.annotate(Count("feature")).only("name")), list
        )

-    @ignore_warnings(category=RemovedInDjango50Warning)
-    @override_settings(
-        SESSION_SERIALIZER="django.contrib.sessions.serializers.PickleSerializer"
-    )
-    def test_ticket_12163(self):
-        # Test for #12163 - Pickling error saving session with unsaved model
-        # instances.
-        SESSION_KEY = "2b1189a188b44ad18c35e1baac6ceead"
-
-        item = Item()
-        item._deferred = False
-        s = SessionStore(SESSION_KEY)
-        s.clear()
-        s["item"] = item
-        s.save(must_create=True)
-
-        s = SessionStore(SESSION_KEY)
-        s.modified = True
-        s.save()
-
-        i2 = s["item"]
-        self.assertFalse(i2._deferred)
-
    def test_ticket_16409(self):
        # Regression for #16409 - make sure defer() and only() work with annotate()
        self.assertIsInstance(
--- a/tests/serializers/tests.py
+++ b/tests/serializers/tests.py
@ -1,4 +1,3 @@
-import pickle
 from datetime import datetime
 from functools import partialmethod
 from io import StringIO
@ -6,12 +5,11 @@ from unittest import mock, skipIf

 from django.core import serializers
 from django.core.serializers import SerializerDoesNotExist
-from django.core.serializers.base import PickleSerializer, ProgressBar
+from django.core.serializers.base import ProgressBar
 from django.db import connection, transaction
 from django.http import HttpResponse
 from django.test import SimpleTestCase, override_settings, skipUnlessDBFeature
-from django.test.utils import Approximate, ignore_warnings
-from django.utils.deprecation import RemovedInDjango50Warning
+from django.test.utils import Approximate

 from .models import (
    Actor,
@ -487,31 +485,6 @@ class SerializersTransactionTestBase:
        self.assertEqual(art_obj.author.name, "Agnes")


-class PickleSerializerTests(SimpleTestCase):
-    @ignore_warnings(category=RemovedInDjango50Warning)
-    def test_serializer_protocol(self):
-        serializer = PickleSerializer(protocol=3)
-        self.assertEqual(serializer.protocol, 3)
-        # If protocol is not provided, it defaults to pickle.HIGHEST_PROTOCOL
-        serializer = PickleSerializer()
-        self.assertEqual(serializer.protocol, pickle.HIGHEST_PROTOCOL)
-
-    @ignore_warnings(category=RemovedInDjango50Warning)
-    def test_serializer_loads_dumps(self):
-        serializer = PickleSerializer()
-        test_data = "test data"
-        dump = serializer.dumps(test_data)
-        self.assertEqual(serializer.loads(dump), test_data)
-
-    def test_serializer_warning(self):
-        msg = (
-            "PickleSerializer is deprecated due to its security risk. Use "
-            "JSONSerializer instead."
-        )
-        with self.assertRaisesMessage(RemovedInDjango50Warning, msg):
-            PickleSerializer()
-
-
 def register_tests(test_class, method_name, test_func, exclude=()):
    """
    Dynamically create serializer tests to ensure that all registered