id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31907	Inconsistent key validation checks in cache backends.	Nick Pope	Nick Pope	"The fix for CVE2020-13254 ensured that `validate_key()` was called for most cache-related operations to avoid a potential get/set key-clash.

There are some other operations that are not properly validated in some of the backend (sub)classes:

- `LocMemcache.touch()`
- `BaseMemcachedCache.delete_many()`
- `MemcachedCache.touch()`
- `MemcachedCache.get()`
- `MemcachedCache.delete()`
- `PyLibMCCache.touch()`

The fix to this should also include a test to ensure that `self.validate_key(key)` is called for all operations to avoid this issue in future.

Note that this was originally raised via the security mailing list, but the decision was to handle this by raising a pull request.

The main concern here is the potential for data loss in the unvalidated `delete()` and `delete_many()` operations."	Bug	closed	Core (Cache system)	dev	Normal	fixed			Accepted	1	0	0	0	0	0