Opened 4 years ago

Closed 5 months ago

#17792 closed Bug (wontfix)

pickled object's __setstate__() ignores exceptions

Reported by: rpq__@… Owned by: nobody
Component: contrib.sessions Version: 1.3
Severity: Normal Keywords: session pickle
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by aaugustin)

I find it odd that any exceptions (TypeError too) raised in a pickled object's __setstate__() are ignored.

Change History (7)

comment:1 Changed 4 years ago by aaugustin

  • Description modified (diff)
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

I fail to see how this is a bug in Django. pickle, __setstate__ and TypeError are pure Python concepts.

Please provide more information if you were actually describing a bug in Django.

comment:2 Changed 4 years ago by rpq__@…

  • Resolution invalid deleted
  • Status changed from closed to reopened


pickle, setstate, and TypeError are python concepts, however, i have an app where *any* exception thrown in a pickled object's setstate() for use in request.session are silently caught/ignored by django. this should not be difficult to reproduce. i verified that this does not happen in "pure python"; uncaught exceptions raised in a pickled object's setstate() were being thrown as expected.

comment:3 Changed 4 years ago by ramiro

  • Triage Stage changed from Unreviewed to Accepted

Now we are talking. Tickets opened with a description of 109 characters (less than a Tweet) aren't useful at all for anyone.

comment:4 Changed 3 years ago by aaugustin

  • Type changed from Uncategorized to Bug

comment:5 Changed 3 years ago by aaugustin

  • Status changed from reopened to new

comment:6 Changed 3 years ago by timo

  • Component changed from Uncategorized to contrib.sessions

It's not clear to me how we would fix this. How or why would a pickled object's __setstate__ throw an exception? In django.contrib.sessions.backends.base.SessionBase.decode there's a try/except which catches all exceptions with the following comment: "ValueError, SuspiciousOperation, deserialization exceptions. If any of these happen, just return an empty dictionary (an empty session)."

comment:7 Changed 5 months ago by claudep

  • Resolution set to wontfix
  • Status changed from new to closed

Now that Django session serializer defaults to JSON (, I'm not sure we'll fix this. If anyone can come up with some code to fix this issue, feel free to reopen.

Note: See TracTickets for help on using tickets.
Back to Top