celery: only accept msgpack content
2c205c615eaa
Actions

Authored by Marco Neumann <marco@crepererum.net> on Apr 13 2015, 15:53.

Description

celery: only accept msgpack content

SECURITY Forces Celery to only accept msgpack content when using standard configuration. This disallows pickle messages which can be used for remote code execution. (closes #3003)

INCOMPATIBILITY If you use any Celery serializer other than msgpack, you must update configuration variable CELERY_ACCEPT_CONTENT to include that serializer.

Signed-off-by: Marco Neumann <marco@crepererum.net>

Committed

Marco Neumann <marco@crepererum.net>

Apr 14 2015, 08:44

Parents

R3600:607cd4ba5795: global: removal of nonsense debug output

Branches

Unknown

Tags

Unknown

Marco Neumann <marco@crepererum.net> committed R3600:2c205c615eaa: celery: only accept msgpack content (authored by Marco Neumann <marco@crepererum.net>).Apr 14 2015, 08:44

				Path
	M			.kwalitee.yml
	M			invenio/celery/config.py