e1ff51c045
We don't want to use pickle as it can execute arbitrary code. JSON is safer. However, note that it supports serialization for only some specific subset of object types; this should be enough for what we need, though. To avoid issues on upgrades (unability to read pickled values, and cache poisoning for old servers not understanding JSON), we add a memcache_serialization_support configuration option, with the following values: 0 = older, insecure pickle serialization 1 = json serialization but pickles can still be read (still insecure) 2 = json serialization only (secure and the default) To avoid an instant full cache flush, existing installations should upgrade with 0, then set to 1 and reload, then after some time (24 hours) set to 2 and reload. Support for 0 and 1 will be removed in future versions. Part of bug 1006414. Change-Id: Id7d6d547b103b4f23ebf5be98b88f09ec6027ce4
16 lines
794 B
Plaintext
16 lines
794 B
Plaintext
[memcache]
|
|
# You can use this single conf file instead of having memcache_servers set in
|
|
# several other conf files under [filter:cache] for example. You can specify
|
|
# multiple servers separated with commas, as in: 10.1.2.3:11211,10.1.2.4:11211
|
|
# memcache_servers = 127.0.0.1:11211
|
|
#
|
|
# Sets how memcache values are serialized and deserialized:
|
|
# 0 = older, insecure pickle serialization
|
|
# 1 = json serialization but pickles can still be read (still insecure)
|
|
# 2 = json serialization only (secure and the default)
|
|
# To avoid an instant full cache flush, existing installations should
|
|
# upgrade with 0, then set to 1 and reload, then after some time (24 hours)
|
|
# set to 2 and reload.
|
|
# In the future, the ability to use pickle serialization will be removed.
|
|
# memcache_serialization_support = 2
|