How to disallow pickle serialization in celery

Question

Celery defaults to using pickle as its serialization method for tasks. As noted in the FAQ, this represents a security hole. Celery allows you to configure how tasks get seria

Answer 1

I was getting "ContentDisallowed: Refusing to deserialize untrusted content of type pickle (application/x-python-serialize)"

having:

CELERY_ACCEPT_CONTENT = ['json']

wasn't enough... I had to also add the followings to settings:

CELERY_TASK_SERIALIZER = 'json'
CELERY_RESULT_SERIALIZER = 'json'

Answer 2

Now that Celery supports configuration on a per-app basis, there is a cleaner way to restrict the content that a consumer will execute.

c = celery.Celery()
c.conf.update(CELERY_ACCEPT_CONTENT = ['json'])

See the Celery docs on security for details, and for more advanced security options, such as signing content.

Answer 3

I got an answer from the celery-users mailing list (From Ask Solem to be specific). Add these two lines to the config (celeryconfig/settings):

from kombu import serialization
serialization.registry._decoders.pop("application/x-python-serialize")