RedHatTraining/pyramid.git

			@@ -90,6 +90,15 @@
			of the documentation for more information about this change.
			See https://github.com/Pylons/pyramid/pull/3353

			- The ``pyramid.session.signed_serialize`` and
			``pyramid.session.signed_deserialize`` functions will be removed in Pyramid
			2.0, along with the removal of
			``pyramid.session.UnencryptedCookieSessionFactoryConfig`` which was
			deprecated in Pyramid 1.5. Please switch to using the
			``SignedCookieSessionFactory``, copying the code, or another session
			implementation if you're still using these features.
			See https://github.com/Pylons/pyramid/pull/3353

			Backward Incompatibilities
			--------------------------

			@@ -64,6 +64,14 @@

			cookieval = signed_serialize({'a':1}, 'secret')
			response.set_cookie('signed_cookie', cookieval)

			.. deprecated:: 1.10

			This function will be removed in :app:`Pyramid` 2.0. It is using
			pickle-based serialization, which is considered vulnerable to remote
			code execution attacks and will no longer be used by the default
			session factories at that time.

			"""
			pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL)
			try:
			@@ -73,6 +81,13 @@
			secret = bytes_(secret, 'utf-8')
			sig = hmac.new(secret, pickled, hashlib.sha1).hexdigest()
			return sig + native_(base64.b64encode(pickled))

			deprecated(
			'signed_serialize',
			'This function will be removed in Pyramid 2.0. It is using pickle-based '
			'serialization, which is considered vulnerable to remote code execution '
			'attacks.',
			)

			def signed_deserialize(serialized, secret, hmac=hmac):
			""" Deserialize the value returned from ``signed_serialize``. If
			@@ -86,6 +101,13 @@

			cookieval = request.cookies['signed_cookie']
			data = signed_deserialize(cookieval, 'secret')

			.. deprecated:: 1.10

			This function will be removed in :app:`Pyramid` 2.0. It is using
			pickle-based serialization, which is considered vulnerable to remote
			code execution attacks and will no longer be used by the default
			session factories at that time.
			"""
			# hmac parameterized only for unit tests
			try:
			@@ -109,6 +131,13 @@

			return pickle.loads(pickled)

			deprecated(
			'signed_deserialize',
			'This function will be removed in Pyramid 2.0. It is using pickle-based '
			'serialization, which is considered vulnerable to remote code execution '
			'attacks.',
			)


			class PickleSerializer(object):
			""" A serializer that uses the pickle protocol to dump Python

	CHANGES.rst	9 ●●●●● patch \| view \| raw \| blame \| history
	docs/api/session.rst	6 ●●●●● patch \| view \| raw \| blame \| history
	pyramid/session.py	29 ●●●●● patch \| view \| raw \| blame \| history

			@@ -5,13 +5,7 @@

			.. automodule:: pyramid.session

			.. autofunction:: signed_serialize

			.. autofunction:: signed_deserialize

			.. autofunction:: SignedCookieSessionFactory

			.. autofunction:: UnencryptedCookieSessionFactoryConfig

			.. autofunction:: BaseCookieSessionFactory