flask-session icon indicating copy to clipboard operation
flask-session copied to clipboard

Published 20 hours ago verified publisher icon pallets-eco

Don't use pickle for SqlAlchemy backend

Open xSke opened this issue 9 years ago • 1 comments

Using pickle is a major security flaw, and can be used for remote code execution or opening a shell.

I understand the pickled data doesn't get read from the client, but it's still a bad idea to store it in the database, since if the database server gets compromised, every single app server is compromised as well.

For more information, see: https://www.cs.uic.edu/~s/musings/pickle.html

xSke avatar Dec 11 '15 15:12 xSke

This issue was moved to mcrowson/flask-session#7

mcrowson avatar Feb 12 '17 00:02 mcrowson

Pickle to be deprecated from 0.7.0 and removed in 1.0.0

Lxstr avatar Mar 10 '24 13:03 Lxstr