Ticket #5760: session.patch

File session.patch, 1.9 KB (added by Nir Soffer <nirs@…>, 8 years ago)

patch

  • django/contrib/sessions/models.py

    Only in Django-0.96-new: .DS_Store
    diff -ur Django-0.96/django/contrib/sessions/models.py Django-0.96-new/django/contrib/sessions/models.py
    old new  
    1 import base64, md5, random, sys, datetime
     1import base64, md5, hmac, random, sys, datetime
    22import cPickle as pickle
    33from django.db import models
    44from django.utils.translation import gettext_lazy as _
    55from django.conf import settings
    66
     7def digest(data):
     8    """ Returns a keyed digest of data using settings.SECRET_KEY. """
     9    # Key minimal length should be 16 bytes for md5, or 20 bytes for
     10    # sha1. Hasing the key ensure the length and make it more secure.
     11    # See http://www.faqs.org/rfcs/rfc2104.html
     12    key = md5.new(settings.SECRET_KEY).digest()
     13    return hmac.new(key, pickled).digest()
     14   
     15
    716class SessionManager(models.Manager):
    817    def encode(self, session_dict):
    918        "Returns the given session dictionary pickled and encoded as a string."
    1019        pickled = pickle.dumps(session_dict)
    11         pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
    12         return base64.encodestring(pickled + pickled_md5)
     20        return base64.encodestring(pickled + digest(pickled))
    1321
    1422    def get_new_session_key(self):
    1523        "Returns session key that isn't being used."
     
    7785    def get_decoded(self):
    7886        encoded_data = base64.decodestring(self.session_data)
    7987        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
    80         if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
     88        if digest(pickled) != tamper_check:
    8189            from django.core.exceptions import SuspiciousOperation
    8290            raise SuspiciousOperation, "User tampered with session cookie."
    8391        try:
Back to Top