Opened 8 years ago

Closed 6 years ago

#9489 closed (duplicate)

Unnecessary validation of internal data in contrib.sessions

Reported by: Grzegorz Lukasik <hauserx@…> Owned by: nobody
Component: contrib.sessions Version: 1.0
Severity: Keywords: sessions get_decoded md5 tamper
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In django/contrib/sessions/models.py in method get_decoded data from database is verified for some reason (with md5 signature).
The signature is added by method SessionManager.encode.
Why internal data is checked if it cannot be alter by an external user?

Change History (2)

comment:1 Changed 8 years ago by Jacob

Triage Stage: UnreviewedDesign decision needed

comment:2 Changed 6 years ago by Aymeric Augustin

Resolution: duplicate
Status: newclosed

#14634 raises the same issue, contains a detailed discussion, and is closed as wontfix.

Note: See TracTickets for help on using tickets.
Back to Top