Changeset 7001

Timestamp:

01/06/08 06:53:09 (8 months ago)

Author:

mtredinnick

Message:

Fixed a subtle corner case whereby sending a bad session ID generates new (unused) session entries in the database table.

Files:

• django/trunk/django/contrib/sessions/backends/db.py (modified) (4 diffs)
• django/trunk/django/contrib/sessions/backends/file.py (modified) (6 diffs)

django/trunk/django/contrib/sessions/backends/db.py

@@ -11 +11 @@
-    def __init__(self, session_key=None):
-        super(SessionStore, self).__init__(session_key)
-
+
-    def load(self):
-        try:
-            s = Session.objects.get(
- 
+
-                expire_date__gt=datetime.datetime.now()
-            )
-            return self.decode(s.session_data)
-        except (Session.DoesNotExist, SuspiciousOperation):
-
+
-            # Create a new session_key for extra security.
-            self.session_key = self._get_new_session_key()
@@ -27 +27 @@
-            # Save immediately to minimize collision
-            self.save()
+            # Ensure the user is notified via a new cookie.
+            self.modified = True
-            return {}
-
+
-    def exists(self, session_key):
-        try:
@@ -35 +37 @@
-            return False
-        return True
-
+
-    def save(self):
-        Session.objects.create(
@@ -42 +44 @@
-            expire_date = datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE)
-        )
-
+
-    def delete(self, session_key):
-        try:

django/trunk/django/contrib/sessions/backends/file.py

@@ -11 +11 @@
-    def __init__(self, session_key=None):
-        self.storage_path = getattr(settings, "SESSION_FILE_PATH", tempfile.gettempdir())
-
+
-        # Make sure the storage path is valid.
-        if not os.path.isdir(self.storage_path):
@@ -18 +18 @@
-                                       "to an existing directory in which Django "\
-                                       "can store session data." % self.storage_path)
-
-    
+
+
-        super(SessionStore, self).__init__(session_key)
-
+
-    def _key_to_file(self, session_key=None):
-        """
@@ -28 +28 @@
-        if session_key is None:
-            session_key = self.session_key
-
+
-        # Make sure we're not vulnerable to directory traversal. Session keys
-        # should always be md5s, so they should never contain directory components.
-        if os.path.sep in session_key:
-            raise SuspiciousOperation("Invalid characters (directory components) in session key")
-
+
-        return os.path.join(self.storage_path, self.file_prefix + session_key)
-
+
-    def load(self):
-        session_data = {}
@@ -47 +47 @@
-                    self._session_cache = {}
-                    self.save()
+                    # Ensure the user is notified via a new cookie.
+                    self.modified = True
-            finally:
-                session_file.close()
@@ -67 +69 @@
-            return True
-        return False
-
+
-    def delete(self, session_key):
-        try:
@@ -73 +75 @@
-        except OSError:
-            pass
-
+
-    def clean(self):
-        pass