Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary data being unpickled may allow code execution #1

Open
frgtn opened this issue Nov 9, 2016 · 1 comment
Open

Arbitrary data being unpickled may allow code execution #1

frgtn opened this issue Nov 9, 2016 · 1 comment

Comments

@frgtn
Copy link
Contributor

frgtn commented Nov 9, 2016

RedisBackend tries to unpickle data it receives from redis without checking any signatures. This is a potential security issue: an adversary with access to the redis server could perform a code execution attack on application servers running beaker_redis code.

Generally a good way is to either sign the pickled data with a secret key and then check signature before unpickling or use a serialization format such as JSON or msgpack.

Beaker can already sign (and encrypt) session data but this is now being bypassed at the backend level.
@frgtn frgtn changed the title Arbitrary data being unpickled allows code execution Arbitrary data being unpickled may allow code execution Nov 9, 2016
@zzzsochi
Copy link
Owner

Yes, it's a security issue.
I do not need it. If you want, you can implement and create a pull request, but it should be disablable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frgtn @zzzsochi