Django 1.5.3 release notes
This is Django 1.5.3, the third release in the Django 1.5 series. It addresses one security issue and also contains an opt-in feature to enhance the security of .
In practice this is not a very common problem, as it would require the template author to put the ssi
file in a user-controlled variable, but it’s possible in principle.
Mitigating a remote-code execution vulnerability in django.contrib.sessions
This attack can be mitigated by serializing session data using JSON rather than . To facilitate this, Django 1.5.3 introduces a new setting, SESSION_SERIALIZER
, to customize the session serialization format. For backwards compatibility, this setting defaults to using . While JSON serialization does not support all Python objects like pickle
does, we highly recommend switching to JSON-serialized values. Also, as JSON requires string keys, you will likely run into problems if you are using non-string keys in request.session
. See the documentation for more details.