mcrowson
commented
7 years ago This issue was moved to mcrowson/flask-session#7
Closed xSke closed 8 months ago
mcrowson
commented
7 years ago This issue was moved to mcrowson/flask-session#7
Lxstr
commented
8 months ago Pickle to be deprecated from 0.7.0 and removed in 1.0.0
Using pickle is a major security flaw, and can be used for remote code execution or opening a shell.
I understand the pickled data doesn't get read from the client, but it's still a bad idea to store it in the database, since if the database server gets compromised, every single app server is compromised as well.
For more information, see: https://www.cs.uic.edu/~s/musings/pickle.html