Opened 12 years ago

Closed 8 years ago

#17792 closed Bug (wontfix)

pickled object's __setstate__() ignores exceptions

Reported by: rpq__@… Owned by: nobody
Component: contrib.sessions Version: 1.3
Severity: Normal Keywords: session pickle
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Aymeric Augustin)

I find it odd that any exceptions (TypeError too) raised in a pickled object's __setstate__() are ignored.

Change History (7)

comment:1 by Aymeric Augustin, 12 years ago

Description: modified (diff)
Resolution: invalid
Status: newclosed

I fail to see how this is a bug in Django. pickle, __setstate__ and TypeError are pure Python concepts.

Please provide more information if you were actually describing a bug in Django.

comment:2 by rpq__@…, 12 years ago

Resolution: invalid
Status: closedreopened

hi,

pickle, setstate, and TypeError are python concepts, however, i have an app where *any* exception thrown in a pickled object's setstate() for use in request.session are silently caught/ignored by django. this should not be difficult to reproduce. i verified that this does not happen in "pure python"; uncaught exceptions raised in a pickled object's setstate() were being thrown as expected.

comment:3 by Ramiro Morales, 12 years ago

Triage Stage: UnreviewedAccepted

Now we are talking. Tickets opened with a description of 109 characters (less than a Tweet) aren't useful at all for anyone.

comment:4 by Aymeric Augustin, 11 years ago

Type: UncategorizedBug

comment:5 by Aymeric Augustin, 11 years ago

Status: reopenednew

comment:6 by Tim Graham, 11 years ago

Component: Uncategorizedcontrib.sessions

It's not clear to me how we would fix this. How or why would a pickled object's __setstate__ throw an exception? In django.contrib.sessions.backends.base.SessionBase.decode there's a try/except which catches all exceptions with the following comment: "ValueError, SuspiciousOperation, deserialization exceptions. If any of these happen, just return an empty dictionary (an empty session)."

comment:7 by Claude Paroz, 8 years ago

Resolution: wontfix
Status: newclosed

Now that Django session serializer defaults to JSON (https://docs.djangoproject.com/en/dev/topics/http/sessions/#session-serialization), I'm not sure we'll fix this. If anyone can come up with some code to fix this issue, feel free to reopen.

Note: See TracTickets for help on using tickets.
Back to Top