Opened 3 years ago

Last modified 2 years ago

#17792 new Bug

pickled object's __setstate__() ignores exceptions

Reported by: rpq__@… Owned by: nobody
Component: contrib.sessions Version: 1.3
Severity: Normal Keywords: session pickle
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by aaugustin)

I find it odd that any exceptions (TypeError too) raised in a pickled object's __setstate__() are ignored.

Change History (6)

comment:1 Changed 3 years ago by aaugustin

  • Description modified (diff)
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

I fail to see how this is a bug in Django. pickle, __setstate__ and TypeError are pure Python concepts.

Please provide more information if you were actually describing a bug in Django.

comment:2 Changed 3 years ago by rpq__@…

  • Resolution invalid deleted
  • Status changed from closed to reopened

hi,

pickle, setstate, and TypeError are python concepts, however, i have an app where *any* exception thrown in a pickled object's setstate() for use in request.session are silently caught/ignored by django. this should not be difficult to reproduce. i verified that this does not happen in "pure python"; uncaught exceptions raised in a pickled object's setstate() were being thrown as expected.

comment:3 Changed 3 years ago by ramiro

  • Triage Stage changed from Unreviewed to Accepted

Now we are talking. Tickets opened with a description of 109 characters (less than a Tweet) aren't useful at all for anyone.

comment:4 Changed 2 years ago by aaugustin

  • Type changed from Uncategorized to Bug

comment:5 Changed 2 years ago by aaugustin

  • Status changed from reopened to new

comment:6 Changed 2 years ago by timo

  • Component changed from Uncategorized to contrib.sessions

It's not clear to me how we would fix this. How or why would a pickled object's __setstate__ throw an exception? In django.contrib.sessions.backends.base.SessionBase.decode there's a try/except which catches all exceptions with the following comment: "ValueError, SuspiciousOperation, deserialization exceptions. If any of these happen, just return an empty dictionary (an empty session)."

Note: See TracTickets for help on using tickets.
Back to Top