Ticket #5760: session.patch

django/contrib/sessions/models.py

@@ -1 @@
-import base64, md5, random, sys, datetime
+import base64, md5, hmac, random, sys, datetime
 import cPickle as pickle
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from django.conf import settings
 
+def digest(data):
+    """ Returns a keyed digest of data using settings.SECRET_KEY. """
+    # Key minimal length should be 16 bytes for md5, or 20 bytes for
+    # sha1. Hasing the key ensure the length and make it more secure.
+    # See http://www.faqs.org/rfcs/rfc2104.html
+    key = md5.new(settings.SECRET_KEY).digest()
+    return hmac.new(key, pickled).digest()
+    
+
 class SessionManager(models.Manager):
     def encode(self, session_dict):
         "Returns the given session dictionary pickled and encoded as a string."
         pickled = pickle.dumps(session_dict)
-        pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
-        return base64.encodestring(pickled + pickled_md5)
+        return base64.encodestring(pickled + digest(pickled))
 
     def get_new_session_key(self):
         "Returns session key that isn't being used."
@@ -77 +85 @@
     def get_decoded(self):
         encoded_data = base64.decodestring(self.session_data)
         pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
-        if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
+        if digest(pickled) != tamper_check:
             from django.core.exceptions import SuspiciousOperation
             raise SuspiciousOperation, "User tampered with session cookie."
         try: