Opened 6 years ago

Closed 4 years ago

#9489 closed (duplicate)

Unnecessary validation of internal data in contrib.sessions

Reported by: Grzegorz Lukasik <hauserx@…> Owned by: nobody
Component: contrib.sessions Version: 1.0
Severity: Keywords: sessions get_decoded md5 tamper
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In django/contrib/sessions/models.py in method get_decoded data from database is verified for some reason (with md5 signature).
The signature is added by method SessionManager.encode.
Why internal data is checked if it cannot be alter by an external user?

Change History (2)

comment:1 Changed 6 years ago by jacob

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

comment:2 Changed 4 years ago by aaugustin

  • Resolution set to duplicate
  • Status changed from new to closed

#14634 raises the same issue, contains a detailed discussion, and is closed as wontfix.

Note: See TracTickets for help on using tickets.
Back to Top