Commit Graph

61 Commits

Author SHA1 Message Date
Aymeric Augustin cfcf4b3605 Stopped using django.utils.unittest in the test suite.
Refs #20680.
2013-07-01 14:29:33 +02:00
Preston Holmes d228c1192e Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.

Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Erik Romijn f88700d610 Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On File Backend Only 2013-05-19 15:33:05 +02:00
Mathijs de Bruin 8c1cc4b3b0 Fixed regression introduced in 146ed13a.
As override_settings was used after the initialization of the session backend,
we need to use a new session backend here.
2013-02-23 16:53:31 +01:00
Aymeric Augustin 146ed13a11 Fixed #17083 -- Allowed sessions to use non-default cache. 2012-10-31 09:46:16 +01:00
Aymeric Augustin 58337b3223 Marked cookies-based session expiry test as an expected failure.
Refs #19201.
2012-10-28 18:03:23 +01:00
Aymeric Augustin 5fec97b9df Fixed #18194 -- Expiration of file-based sessions
* Prevented stale session files from being loaded
* Added removal of stale session files in django-admin.py clearsessions

Thanks ej for the report, crodjer and Elvard for their inputs.
2012-10-28 09:19:38 +01:00
Aymeric Augustin 882c47cd40 Improved tests introduced in 04b00b6.
These tests are expected to fail for the file session backend because it
doesn't handle expiry properly. They didn't because of an error in the
test setup sequence.

Refs #19200, #18194.
2012-10-27 23:15:45 +02:00
Aymeric Augustin cd17a24083 Added optional kwargs to get_expiry_age/date.
This change allows for cleaner tests: we can test the exact output.

Refs #18194: this change makes it possible to compute session expiry
dates at times other than when the session is saved.

Fixed #18458: the existence of the `modification` kwarg implies that you
must pass it to get_expiry_age/date if you call these functions outside
of a short request - response cycle (the intended use case).
2012-10-27 23:15:45 +02:00
Aymeric Augustin 04b00b668d Fixed #19200 -- Session expiry with cached_db
Also did a little bit of cleanup.
2012-10-27 19:40:39 +02:00
Claude Paroz 486e67598f Fixed #10853 -- Skipped some sessions tests with dummy cache backend 2012-09-21 13:17:25 +02:00
Malcolm Tredinnick 5e99a3d41b Adjust d7853c5 to not show ignorable warnings when running tests. 2012-09-08 20:28:31 -04:00
Carl Meyer 67dceeef44 Remove a couple unused imports. 2012-09-08 14:30:11 -06:00
Claude Paroz d7853c55ed Removed warning check in test_load_overlong_key
Some backends issue a warning here, others not. This is not the primary
goal of the test, so the assertion about the warning has been removed.
Thanks Carl Meyer for noticing the issue and suggesting the fix.
2012-09-08 21:31:46 +02:00
Aymeric Augustin ee191715ea [py3] Fixed access to dict keys/values/items. 2012-08-07 12:00:22 +02:00
Anssi Kääriäinen aeda55e6bf Fixed #3881 -- skip saving session when response status is 500
Saving session data is somewhat likely to lead into error when the
status code is 500. It is guaranteed to lead into error if the reason
for the 500 code is query error on PostgreSQL.
2012-07-16 20:57:55 +03:00
Claude Paroz 11a5355517 Inserted more simplefilter calls to be sure warnings are emitted.
Thanks to Florian Apolloner for suggesting the patch.
2012-05-03 21:31:23 +02:00
Claude Paroz 00c0d3c44e Made warning assertions work with or without -Wall python switch 2012-05-03 20:18:05 +02:00
Claude Paroz 10cf3c6427 Used catch_warnings instead of save/restore methods. Refs #17049. 2012-05-03 18:30:07 +02:00
Claude Paroz 23d3459761 Fixed #17965 -- Definitely dropped support for Python 2.5. Thanks jonash for the initial patch and Aymeric Augustin for the review.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17834 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-31 08:24:29 +00:00
Aymeric Augustin eb163f37cb Use the class decorator syntax available in Python >= 2.6. Refs #17965.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17829 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-30 09:08:29 +00:00
Claude Paroz 9383a2761c Removed with_statement imports, useless in Python >= 2.6. Refs #17965. Thanks jonash for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17828 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-30 08:02:08 +00:00
Paul McMillan 2ca9801956 Fixed #17810. Catch session key errors.
Catches memcached session key errors related to overly long session keys.
This is a long-standing bug, but severity was exacerbated by the addition
of cookie-backed session storage, which generates long session values. If
an installation switched from cookie-backed session store to memcached,
users would not be able to log in because of the server error from overly
long memcached keys.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@17795 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-23 05:31:11 +00:00
Adrian Holovaty 20c8aa2a20 Fixed various dodgy behaviours
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17226 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 17:37:24 +00:00
Aymeric Augustin c11f9c3193 Optimized the cached_db session backend to check if a key exists in the cache first.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17156 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-27 18:36:03 +00:00
Aymeric Augustin bda21e2b9d Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478.
This also removes the implicit initialization of the session key on the first access in favor of explicit initialization.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-27 17:52:24 +00:00
Paul McMillan 02a1b9a93e Improved the test for #16847.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17141 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-22 01:10:00 +00:00
Paul McMillan 16e3636a1a Fixed Python 2.5 test failure introduced in r17135.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17137 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-21 22:50:35 +00:00
Paul McMillan 4d975b4f88 Fixed #16847. Session Cookies now default to httponly = True.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-21 22:03:03 +00:00
Aymeric Augustin 4ac594f8a5 Upgraded django.contrib.sessions to be compatible with time zone support.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17121 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-20 10:33:44 +00:00
Paul McMillan 1ac2bb9b8e Fixed #16987 -- Improved error message for session tests. Thanks jMyles and DiskSpace for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16926 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-05 05:21:47 +00:00
Jannis Leidel fb590bfa9b Replaced `has_key()` calls with `in` to ease Python 3 port. Thanks, Martin von Löwis.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16740 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 19:33:40 +00:00
Alex Gaynor 20dc647ba8 Fixed a typo, and added an ``__future__`` import to the new signed cookie tets.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-26 19:22:53 +00:00
Jannis Leidel c817f2f544 Fixed #16199 -- Added a Cookie based session backend. Many thanks to Eric Florenzano for his initial work and Florian Apollaner for reviewing.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16466 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-26 17:00:24 +00:00
Luke Plant c0caac87f9 Removed Django 1.2 compatibility fallback for session data integrity check hash.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15954 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:35:22 +00:00
Adrian Holovaty a87be3554f Removed a bunch of Python 2.4 workarounds now that we don't support it. Refs #15702 -- thanks to jonash for the patch. Splitting this over muliple commits to make it more manageable.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15926 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28 01:40:43 +00:00
Alex Gaynor 6ca7c9c495 Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:13:24 +00:00
Carl Meyer b8a8066ac4 Fixed duplicate-named contrib.sessions tests, and removed unused import (cleanup from doctest conversion).
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-31 18:37:28 +00:00
Russell Keith-Magee 993612c84d Fixed #15026 -- Added cleanup to the invalid key session tests; when using Memcached as a cache backend, the cache-backed session backends would fail on the second run due to leftover cache artefacts. Thanks to jsdalton for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15235 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-17 14:03:19 +00:00
Russell Keith-Magee 78be884ea7 Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the suggestion, and rodolfo for the draft patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-26 13:30:50 +00:00
Luke Plant 0324151bec Fixed #14685 - incompatible code in contrib.sessions.models
Thanks to PaulM for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14562 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-14 22:23:46 +00:00
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee 121d2e3678 Fixed #12991 -- Added unittest2 support. Thanks to PaulM for the draft patch, and to Luke, Karen, Justin, Alex, Łukasz Rekucki, and Chuck Harmston for their help testing and reviewing the final patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14139 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:55:17 +00:00
Russell Keith-Magee 597e03cd74 Fixed #14096 -- Corrected Python 2.4 syntax issue. Thanks to PaulM for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13579 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-14 12:11:02 +00:00
Luke Plant 5eece23296 Converted sessions tests from doctest to unittest.
Also made the FileSession backend consistent with other backends in one
corner case uncovered by the conversion, namely that the backend should
create a new key if the one passed in is invalid.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13482 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-05 11:49:58 +00:00
Malcolm Tredinnick d77236960a Fixed #9548 -- Correctly detect existence of empty sessions with cache backend.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9934 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-01 07:32:41 +00:00
Jacob Kaplan-Moss 299e1e814f Fixed #6791: added a write-through cache session backend: session data is written through the cache to the database, but read from the cache for speed. Thanks to jhenry, mcroydon, and jdunck.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9727 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-01-10 22:18:14 +00:00
Jacob Kaplan-Moss b21ea0a836 More be-nice-to-the-buildbot: be better about cleaning up files created by the cache/session tests.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9224 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-10 21:41:12 +00:00
Malcolm Tredinnick c8c159cbba When logging in, change the session key whilst preserving any existing
sesssion. This means the user will see their session preserved across a login
boundary, but somebody snooping the anonymous session key won't be able to view
the authenticated session data.

This is the final piece of the session key handling changes.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8459 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-21 13:54:53 +00:00
Malcolm Tredinnick 54f9a98713 Fixed #8351 -- Fixed the returned value when we attempt to load a cache-backed session object that doesn't alreayd exist.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8410 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-16 15:54:36 +00:00