Fixed #24468 -- Made signed cookies cache backend resilient to unpickling exceptions.

2015-03-11 13:46:39 -04:00 · 2015-03-11 13:46:39 -04:00 · 8a481498aa
parent 28e8c54d7d
commit 8a481498aa
2 changed files with 15 additions and 1 deletions
--- a/django/contrib/sessions/backends/signed_cookies.py
+++ b/django/contrib/sessions/backends/signed_cookies.py
@ -17,7 +17,9 @@ class SessionStore(SessionBase):
                # This doesn't handle non-default expiry dates, see #19201
                max_age=settings.SESSION_COOKIE_AGE,
                salt='django.contrib.sessions.backends.signed_cookies')
-        except (signing.BadSignature, ValueError):
+        except Exception:
+            # BadSignature, ValueError, or unpickling exceptions. If any of
+            # these happen, reset the session.
            self.create()
        return {}

--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@ -17,6 +17,9 @@ from django.contrib.sessions.backends.signed_cookies import \
 from django.contrib.sessions.exceptions import InvalidSessionKey
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.contrib.sessions.models import Session
+from django.contrib.sessions.serializers import (
+    JSONSerializer, PickleSerializer,
+)
 from django.core import management
 from django.core.cache import caches
 from django.core.cache.backends.base import InvalidCacheBackendError
@ -632,3 +635,12 @@ class CookieSessionTests(SessionTestsMixin, unittest.TestCase):
    def test_actual_expiry(self):
        # The cookie backend doesn't handle non-default expiry dates, see #19201
        super(CookieSessionTests, self).test_actual_expiry()
+
+    def test_unpickling_exception(self):
+        # signed_cookies backend should handle unpickle exceptions gracefully
+        # by creating a new session
+        self.assertEqual(self.session.serializer, JSONSerializer)
+        self.session.save()
+
+        self.session.serializer = PickleSerializer
+        self.session.load()