Question
in celery 3.1+ there is a new security feature that won't allow you to start celery if you are running the daemon as superuser.
My question is why specifically running celery workers that accept pickled strings is so bad that celery would now introduce a feature where an environment variable must be explicitly set for it to be allowed?
thanks
La solution
pickle simply isn't secure:
The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
As such the Celery team has decided that its users need to be explicit that they wish to accept pickled data.
https://stackoverflow.com/questions/19989822
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian