Unnecessary validation of internal data in contrib.sessions
|Reported by:||Owned by:||nobody|
|Severity:||Keywords:||sessions get_decoded md5 tamper|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
In django/contrib/sessions/models.py in method get_decoded data from database is verified for some reason (with md5 signature).
The signature is added by method SessionManager.encode.
Why internal data is checked if it cannot be alter by an external user?