Opened 7 years ago

Closed 3 years ago

#17792 closed Bug (wontfix)

pickled object's __setstate__() ignores exceptions

Reported by: rpq__@… Owned by: nobody
Component: contrib.sessions Version: 1.3
Severity: Normal Keywords: session pickle
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Aymeric Augustin)

I find it odd that any exceptions (TypeError too) raised in a pickled object's __setstate__() are ignored.

Change History (7)

comment:1 Changed 7 years ago by Aymeric Augustin

Description: modified (diff)
Resolution: invalid
Status: newclosed

I fail to see how this is a bug in Django. pickle, __setstate__ and TypeError are pure Python concepts.

Please provide more information if you were actually describing a bug in Django.

comment:2 Changed 7 years ago by rpq__@…

Resolution: invalid
Status: closedreopened


pickle, setstate, and TypeError are python concepts, however, i have an app where *any* exception thrown in a pickled object's setstate() for use in request.session are silently caught/ignored by django. this should not be difficult to reproduce. i verified that this does not happen in "pure python"; uncaught exceptions raised in a pickled object's setstate() were being thrown as expected.

comment:3 Changed 7 years ago by Ramiro Morales

Triage Stage: UnreviewedAccepted

Now we are talking. Tickets opened with a description of 109 characters (less than a Tweet) aren't useful at all for anyone.

comment:4 Changed 6 years ago by Aymeric Augustin

Type: UncategorizedBug

comment:5 Changed 6 years ago by Aymeric Augustin

Status: reopenednew

comment:6 Changed 5 years ago by Tim Graham

Component: Uncategorizedcontrib.sessions

It's not clear to me how we would fix this. How or why would a pickled object's __setstate__ throw an exception? In django.contrib.sessions.backends.base.SessionBase.decode there's a try/except which catches all exceptions with the following comment: "ValueError, SuspiciousOperation, deserialization exceptions. If any of these happen, just return an empty dictionary (an empty session)."

comment:7 Changed 3 years ago by Claude Paroz

Resolution: wontfix
Status: newclosed

Now that Django session serializer defaults to JSON (, I'm not sure we'll fix this. If anyone can come up with some code to fix this issue, feel free to reopen.

Note: See TracTickets for help on using tickets.
Back to Top