Fixed a subtle corner case whereby sending a bad session ID generates new (unused) session entries in the database table.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7001 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Malcolm Tredinnick
parent
70fe1ef262
commit
041e24dbde
|
|
@ -10,40 +10,42 @@ class SessionStore(SessionBase):
|
|||
"""
|
||||
def __init__(self, session_key=None):
|
||||
super(SessionStore, self).__init__(session_key)
|
||||
|
||||
|
||||
def load(self):
|
||||
try:
|
||||
s = Session.objects.get(
|
||||
session_key = self.session_key,
|
||||
session_key = self.session_key,
|
||||
expire_date__gt=datetime.datetime.now()
|
||||
)
|
||||
return self.decode(s.session_data)
|
||||
except (Session.DoesNotExist, SuspiciousOperation):
|
||||
|
||||
|
||||
# Create a new session_key for extra security.
|
||||
self.session_key = self._get_new_session_key()
|
||||
self._session_cache = {}
|
||||
|
||||
# Save immediately to minimize collision
|
||||
self.save()
|
||||
# Ensure the user is notified via a new cookie.
|
||||
self.modified = True
|
||||
return {}
|
||||
|
||||
|
||||
def exists(self, session_key):
|
||||
try:
|
||||
Session.objects.get(session_key=session_key)
|
||||
except Session.DoesNotExist:
|
||||
return False
|
||||
return True
|
||||
|
||||
|
||||
def save(self):
|
||||
Session.objects.create(
|
||||
session_key = self.session_key,
|
||||
session_data = self.encode(self._session),
|
||||
expire_date = datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE)
|
||||
)
|
||||
|
||||
|
||||
def delete(self, session_key):
|
||||
try:
|
||||
Session.objects.get(session_key=session_key).delete()
|
||||
except Session.DoesNotExist:
|
||||
pass
|
||||
pass
|
||||
|
|
|
|||
|
|
@ -10,31 +10,31 @@ class SessionStore(SessionBase):
|
|||
"""
|
||||
def __init__(self, session_key=None):
|
||||
self.storage_path = getattr(settings, "SESSION_FILE_PATH", tempfile.gettempdir())
|
||||
|
||||
|
||||
# Make sure the storage path is valid.
|
||||
if not os.path.isdir(self.storage_path):
|
||||
raise ImproperlyConfigured("The session storage path %r doesn't exist. "\
|
||||
"Please set your SESSION_FILE_PATH setting "\
|
||||
"to an existing directory in which Django "\
|
||||
"can store session data." % self.storage_path)
|
||||
|
||||
self.file_prefix = settings.SESSION_COOKIE_NAME
|
||||
|
||||
self.file_prefix = settings.SESSION_COOKIE_NAME
|
||||
super(SessionStore, self).__init__(session_key)
|
||||
|
||||
|
||||
def _key_to_file(self, session_key=None):
|
||||
"""
|
||||
Get the file associated with this session key.
|
||||
"""
|
||||
if session_key is None:
|
||||
session_key = self.session_key
|
||||
|
||||
|
||||
# Make sure we're not vulnerable to directory traversal. Session keys
|
||||
# should always be md5s, so they should never contain directory components.
|
||||
if os.path.sep in session_key:
|
||||
raise SuspiciousOperation("Invalid characters (directory components) in session key")
|
||||
|
||||
|
||||
return os.path.join(self.storage_path, self.file_prefix + session_key)
|
||||
|
||||
|
||||
def load(self):
|
||||
session_data = {}
|
||||
try:
|
||||
|
|
@ -46,6 +46,8 @@ class SessionStore(SessionBase):
|
|||
self._session_key = self._get_new_session_key()
|
||||
self._session_cache = {}
|
||||
self.save()
|
||||
# Ensure the user is notified via a new cookie.
|
||||
self.modified = True
|
||||
finally:
|
||||
session_file.close()
|
||||
except(IOError):
|
||||
|
|
@ -66,12 +68,12 @@ class SessionStore(SessionBase):
|
|||
if os.path.exists(self._key_to_file(session_key)):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def delete(self, session_key):
|
||||
try:
|
||||
os.unlink(self._key_to_file(session_key))
|
||||
except OSError:
|
||||
pass
|
||||
|
||||
|
||||
def clean(self):
|
||||
pass
|
||||
|
|
|
|||
Loading…
Reference in New Issue