diff options
| author | Ask Solem <ask@celeryproject.org> | 2013-04-15 12:45:25 +0100 |
|---|---|---|
| committer | Ask Solem <ask@celeryproject.org> | 2013-04-15 12:45:25 +0100 |
| commit | 970e27db8e5d05a31574f4b90c151832d620f772 (patch) | |
| tree | 9fe4caa032547ae3b58530281b453da99c1c6814 /docs/userguide | |
| parent | adac332fa14fd81273a3af74d477569304b3a3ea (diff) | |
| parent | 4962da4a19c477bca05bea1eb73d8eb6655f4c5a (diff) | |
| download | kombu-970e27db8e5d05a31574f4b90c151832d620f772.tar.gz | |
Merge branch '2.5'
Conflicts:
Changelog
README.rst
kombu/__init__.py
kombu/messaging.py
kombu/serialization.py
kombu/transport/redis.py
requirements/default.txt
Diffstat (limited to 'docs/userguide')
| -rw-r--r-- | docs/userguide/serialization.rst | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/docs/userguide/serialization.rst b/docs/userguide/serialization.rst index 3f236861..7a8ec0e4 100644 --- a/docs/userguide/serialization.rst +++ b/docs/userguide/serialization.rst @@ -77,6 +77,33 @@ Note that a `Consumer` do not need the serialization method specified. They can auto-detect the serialization method as the content-type is sent as a message header. +.. _disable-untrusted-serializers: + +Disabling Insecure Serializers +------------------------------ + +.. versionadded:: 2.5.10 + +Deserializing pickle and yaml from untrusted sources is not safe, +as both pickle and yaml have the ability to execute arbitrary code. + +If you are not using these formats you should disable them +by calling :func:`kombu.disable_insecure_serializers`:: + + >>> import kombu + >>> kombu.disable_insecure_serializers() + +Or you can specify the content types your consumers should +accept by using the ``accept`` argument:: + + >>> Consumer(accept=['json', 'pickle']) + >>> Consumer(accept=['application/json']) + +.. note:: + + Insecure serializers will be disabled by default + in the next major version (Kombu 3.0) + .. _sending-raw-data: Sending raw data without Serialization |