Gregor MacGregor
b2b763448f
Fixed #20841 -- Added messages to NotImplementedErrors
...
Thanks joseph at vertstudios.com for the suggestion.
2013-09-10 11:09:59 -04:00
Alex Gaynor
2530735d2d
Fixed a number of flake8 errors -- particularly around unused imports and local variables
2013-09-06 21:56:40 -07:00
CHI Cheng
ed9cd4fd8b
Fixed #21000 -- Made cached_db session backend respect SESSION_CACHE_ALIAS
2013-09-05 10:47:58 -04:00
Tim Graham
b0ce6fe656
Fixed #20922 -- Allowed customizing the serializer used by contrib.sessions
...
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.
Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for reviews.
2013-08-22 13:58:26 -04:00
Claude Paroz
fdd7a355bf
Deprecated django.utils.importlib
...
This was a shim for pre-Python 2.7 support.
2013-07-29 17:10:22 +02:00
Aymeric Augustin
cfcf4b3605
Stopped using django.utils.unittest in the test suite.
...
Refs #20680 .
2013-07-01 14:29:33 +02:00
Matt Robenolt
5ff2ffa330
Define the SessionStore inside __init__ instead of process_request
...
It's unnecessary to run this on every request, since technically, settings *should be* immutable.
2013-06-30 09:43:02 +02:00
Preston Holmes
d228c1192e
Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
...
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Erik Romijn
f88700d610
Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On File Backend Only
2013-05-19 15:33:05 +02:00
Claude Paroz
9f7a01ef2b
Updated translation templates and removed en translations
...
"en" translations have been mistakenly committed in 87cc3da81
.
2013-05-02 16:25:23 +02:00
Claude Paroz
244e765a94
Updated translation templates
2013-03-28 10:06:11 +01:00
Aymeric Augustin
ba5138b1c0
Deprecated transaction.commit/rollback_unless_managed.
...
Since "unless managed" now means "if database-level autocommit",
committing or rolling back doesn't have any effect.
Restored transactional integrity in a few places that relied on
automatically-started transactions with a transitory API.
2013-03-11 14:48:54 +01:00
Claude Paroz
87cc3da814
Merged contrib translations from 1.5 branch
2013-02-26 21:51:06 +01:00
Joeri Bekker
b9cc61021a
Fixed #9084 - Best approach for an OS to atomically rename the session file.
2013-02-24 14:21:40 +01:00
Mathijs de Bruin
8c1cc4b3b0
Fixed regression introduced in 146ed13a
.
...
As override_settings was used after the initialization of the session backend,
we need to use a new session backend here.
2013-02-23 16:53:31 +01:00
Aymeric Augustin
d913a8b412
Fixed #19356 -- Increased session key entropy.
2012-11-29 16:36:43 +01:00
Aymeric Augustin
11fd00c46e
Fixed #19254 -- Bug in SESSION_FILE_PATH handling.
...
Thanks simonb for the report.
Refs #18194 .
2012-11-06 10:19:14 +01:00
Aymeric Augustin
146ed13a11
Fixed #17083 -- Allowed sessions to use non-default cache.
2012-10-31 09:46:16 +01:00
Aymeric Augustin
58337b3223
Marked cookies-based session expiry test as an expected failure.
...
Refs #19201 .
2012-10-28 18:03:23 +01:00
Aymeric Augustin
98032f67c7
Fixed #14093 -- Improved error message in the cache session backend.
...
Thanks stumbles for the patch.
2012-10-28 12:40:10 +01:00
Aymeric Augustin
5fec97b9df
Fixed #18194 -- Expiration of file-based sessions
...
* Prevented stale session files from being loaded
* Added removal of stale session files in django-admin.py clearsessions
Thanks ej for the report, crodjer and Elvard for their inputs.
2012-10-28 09:19:38 +01:00
Aymeric Augustin
882c47cd40
Improved tests introduced in 04b00b6
.
...
These tests are expected to fail for the file session backend because it
doesn't handle expiry properly. They didn't because of an error in the
test setup sequence.
Refs #19200 , #18194 .
2012-10-27 23:15:45 +02:00
Aymeric Augustin
cd17a24083
Added optional kwargs to get_expiry_age/date.
...
This change allows for cleaner tests: we can test the exact output.
Refs #18194 : this change makes it possible to compute session expiry
dates at times other than when the session is saved.
Fixed #18458 : the existence of the `modification` kwarg implies that you
must pass it to get_expiry_age/date if you call these functions outside
of a short request - response cycle (the intended use case).
2012-10-27 23:15:45 +02:00
Aymeric Augustin
04b00b668d
Fixed #19200 -- Session expiry with cached_db
...
Also did a little bit of cleanup.
2012-10-27 19:40:39 +02:00
Aymeric Augustin
83ba0a9d4b
Fixed #18978 -- Moved cleanup command to sessions.
...
This removes a dependency of 'core' on 'contrib'.
2012-10-27 18:31:00 +02:00
Claude Paroz
58365401c9
Updated base translation files
2012-10-15 11:17:06 +02:00
Claude Paroz
486e67598f
Fixed #10853 -- Skipped some sessions tests with dummy cache backend
2012-09-21 13:17:25 +02:00
Malcolm Tredinnick
5e99a3d41b
Adjust d7853c5
to not show ignorable warnings when running tests.
2012-09-08 20:28:31 -04:00
Carl Meyer
67dceeef44
Remove a couple unused imports.
2012-09-08 14:30:11 -06:00
Claude Paroz
d7853c55ed
Removed warning check in test_load_overlong_key
...
Some backends issue a warning here, others not. This is not the primary
goal of the test, so the assertion about the warning has been removed.
Thanks Carl Meyer for noticing the issue and suggesting the fix.
2012-09-08 21:31:46 +02:00
Claude Paroz
ebc773ada3
Replaced many smart_bytes by force_bytes
...
In all those occurrences, we didn't care about preserving the
lazy status of the strings, but we really wanted to obtain a
real bytestring.
2012-08-29 11:20:32 +02:00
Florian Apolloner
518af78e21
Removed unneeded smart_bytes import which was introduced in f2fff84bc
.
2012-08-15 17:33:21 +02:00
Florian Apolloner
f2fff84bc3
[py3] fixed session file backend.
2012-08-15 14:20:44 +02:00
Claude Paroz
e0d67f3440
[py3] Fixed test_client_regress tests
2012-08-15 10:58:26 +02:00
Aymeric Augustin
212a512984
[py3] Avoided the deprecated base64 interface.
...
This fixes a deprecation warning under Python 3.
2012-08-14 23:45:12 +02:00
Claude Paroz
8a1f439d3a
[py3] Fix encoding issues in contrib.sessions
2012-08-12 22:49:10 +02:00
Aymeric Augustin
c5ef65bcf3
[py3] Ported django.utils.encoding.
...
* Renamed smart_unicode to smart_text (but kept the old name under
Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
and smart_bytes under Python 2 (which is backwards compatible).
Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
want a str.
2012-08-07 12:00:22 +02:00
Aymeric Augustin
ee191715ea
[py3] Fixed access to dict keys/values/items.
2012-08-07 12:00:22 +02:00
Aymeric Augustin
a84d79f572
[py3] Added Python 3 compatibility for xrange.
2012-07-22 09:29:56 +02:00
Aymeric Augustin
ca07fda2ef
[py3] Switched to Python 3-compatible imports.
...
xrange/range will be dealt with in a separate commit due to the huge
number of changes.
2012-07-22 09:29:56 +02:00
Anssi Kääriäinen
aeda55e6bf
Fixed #3881 -- skip saving session when response status is 500
...
Saving session data is somewhat likely to lead into error when the
status code is 500. It is guaranteed to lead into error if the reason
for the 500 code is query error on PostgreSQL.
2012-07-16 20:57:55 +03:00
Claude Paroz
865cd35c9b
Made more extensive usage of context managers with open.
2012-05-05 14:06:36 +02:00
Claude Paroz
11a5355517
Inserted more simplefilter calls to be sure warnings are emitted.
...
Thanks to Florian Apolloner for suggesting the patch.
2012-05-03 21:31:23 +02:00
Claude Paroz
00c0d3c44e
Made warning assertions work with or without -Wall python switch
2012-05-03 20:18:05 +02:00
Claude Paroz
10cf3c6427
Used catch_warnings instead of save/restore methods. Refs #17049 .
2012-05-03 18:30:07 +02:00
Claude Paroz
3904b74a3f
Fixed #18013 -- Use the new 'as' syntax for exceptions.
...
Thanks Clueless for the initial patch.
Note that unittest has been purposely left out (external package only used by Python 2.6).
2012-04-29 20:57:15 +02:00
Claude Paroz
23d3459761
Fixed #17965 -- Definitely dropped support for Python 2.5. Thanks jonash for the initial patch and Aymeric Augustin for the review.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17834 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-31 08:24:29 +00:00
Aymeric Augustin
eb163f37cb
Use the class decorator syntax available in Python >= 2.6. Refs #17965 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17829 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-30 09:08:29 +00:00
Claude Paroz
9383a2761c
Removed with_statement imports, useless in Python >= 2.6. Refs #17965 . Thanks jonash for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17828 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-30 08:02:08 +00:00
Aymeric Augustin
f356a2e52f
Fixed #17810 (again). Catch session key errors.
...
The previous commit didn't work with PyLibMC.
This solution appears to be the best compromise
at this point in the 1.4 release cycle.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17797 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-23 16:14:46 +00:00
Jannis Leidel
46871eb1bb
Fixed an incompatibility with Python 2.5 in the changes done in r17795. Refs #17810 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17796 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-23 09:32:11 +00:00
Paul McMillan
2ca9801956
Fixed #17810 . Catch session key errors.
...
Catches memcached session key errors related to overly long session keys.
This is a long-standing bug, but severity was exacerbated by the addition
of cookie-backed session storage, which generates long session values. If
an installation switched from cookie-backed session store to memcached,
users would not be able to log in because of the server error from overly
long memcached keys.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17795 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-23 05:31:11 +00:00
Jannis Leidel
5b3721b067
Pulled sessions translations updates from Transifex. Refs #17822 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17793 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-23 03:24:45 +00:00
Jannis Leidel
9d1d1f06db
Added Tatar translation. Refs #17822 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-14 09:15:31 +00:00
Jannis Leidel
e540f27475
Added Swahili translation. Refs #17822 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17731 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-14 09:14:48 +00:00
Jannis Leidel
830900c24a
Added Nepali translation. Refs #17822 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17730 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-14 09:14:07 +00:00
Jannis Leidel
661139a29e
Added Kazakh translation. Refs #17822 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17729 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-14 09:13:24 +00:00
Jannis Leidel
e47b92dad7
Added Esperanto to the list of languages. Refs #17822 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17728 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-14 09:12:43 +00:00
Jannis Leidel
0c1a8a99df
Pulled the sessions translations updates from Transifex. Refs #17822 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17726 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-14 09:10:38 +00:00
Paul McMillan
239e41f7c5
Cleanup to use get_random_string consistently.
...
Removes several ad hoc implementations of get_random_string()
and removes an innapropriate use of settings.SECRET_KEY.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17580 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-23 21:39:12 +00:00
Julien Phalip
804bd40383
Fixed #17506 -- Did a minor optimization in the sessions' database backend. Thanks to FunkyBob for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17390 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-24 07:42:38 +00:00
Jannis Leidel
4c376852fe
Updated English base translation files in preparation of the alpha release so Transifex can pick them up.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17250 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-22 23:02:28 +00:00
Adrian Holovaty
20c8aa2a20
Fixed various dodgy behaviours
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17226 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 17:37:24 +00:00
Aymeric Augustin
c11f9c3193
Optimized the cached_db session backend to check if a key exists in the cache first.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17156 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-27 18:36:03 +00:00
Aymeric Augustin
bda21e2b9d
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478 .
...
This also removes the implicit initialization of the session key on the first access in favor of explicit initialization.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-27 17:52:24 +00:00
Paul McMillan
02a1b9a93e
Improved the test for #16847 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17141 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-22 01:10:00 +00:00
Paul McMillan
16e3636a1a
Fixed Python 2.5 test failure introduced in r17135.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17137 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-21 22:50:35 +00:00
Paul McMillan
4d975b4f88
Fixed #16847 . Session Cookies now default to httponly = True.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-21 22:03:03 +00:00
Aymeric Augustin
4ac594f8a5
Upgraded django.contrib.sessions to be compatible with time zone support.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17121 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-20 10:33:44 +00:00
Jannis Leidel
c20d33201c
Fixed #17223 -- Correctly reference the signed cookies session backend. Thanks, Bryan Veloso.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17101 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-17 21:16:42 +00:00
Paul McMillan
1ac2bb9b8e
Fixed #16987 -- Improved error message for session tests. Thanks jMyles and DiskSpace for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16926 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-05 05:21:47 +00:00
Russell Keith-Magee
33076af6f2
Corrected an issue which could allow attackers to manipulate session data using the cache. A security announcement will be made shortly.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16759 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:48 +00:00
Jannis Leidel
fb590bfa9b
Replaced `has_key()` calls with `in` to ease Python 3 port. Thanks, Martin von Löwis.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16740 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 19:33:40 +00:00
Jannis Leidel
24f4764a48
Fixed #16225 -- Removed unused imports. Many thanks to Aymeric Augustin for the work on the patch and Alex for reviewing.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-13 09:35:51 +00:00
Alex Gaynor
20dc647ba8
Fixed a typo, and added an ``__future__`` import to the new signed cookie tets.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-26 19:22:53 +00:00
Jannis Leidel
c817f2f544
Fixed #16199 -- Added a Cookie based session backend. Many thanks to Eric Florenzano for his initial work and Florian Apollaner for reviewing.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16466 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-26 17:00:24 +00:00
Russell Keith-Magee
d60ae0b721
Removed deprecated 'no' translation
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15988 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-02 08:43:43 +00:00
Luke Plant
c0caac87f9
Removed Django 1.2 compatibility fallback for session data integrity check hash.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15954 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:35:22 +00:00
Adrian Holovaty
a87be3554f
Removed a bunch of Python 2.4 workarounds now that we don't support it. Refs #15702 -- thanks to jonash for the patch. Splitting this over muliple commits to make it more manageable.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15926 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28 01:40:43 +00:00
Jannis Leidel
ada8e2a6fa
Pulled translation updates from Transifex again.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15886 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-20 22:16:14 +00:00
Ramiro Morales
5347bbd514
Fixed plural forms formula for the Croatian (hr) localization by manually overriding the header of affected .po files and re-generating .mo files, this seems to be a quirck in Transifex export to PO functionality. Thanks bmihelac fot the report. Refs #15634 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15875 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-17 22:56:10 +00:00
Jannis Leidel
d31cf12be1
Pulled sessions translation updates from Transifex.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15836 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:12:38 +00:00
Jannis Leidel
90564a156c
Fixed Hungarian, Russian, Serbian and Ukranian plural forms introduced in r15680.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15752 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-04 01:07:11 +00:00
Jannis Leidel
c11140d04b
Fixed plural forms of Irish translation introduced in r15680.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15751 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-04 01:05:10 +00:00
Jannis Leidel
53b2a25396
Fixed plural forms of Welsh translation introduced in r15680.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-04 01:04:31 +00:00
Jannis Leidel
bef353873e
Fixed plural forms of Bosnian translation introduced in r15680.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15749 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-04 01:03:14 +00:00
Jannis Leidel
9838ba0db7
Updated sessions translations from transifex.net. Refs #15300 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15694 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-01 09:12:43 +00:00
Alex Gaynor
6ca7c9c495
Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:13:24 +00:00
Russell Keith-Magee
7536f63b32
Fixed #14768 -- Added an es_MX locale and initial translation. Thanks to Alonso Bautista Villalobos and the rest of the Mexican translation team.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15433 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-06 06:06:29 +00:00
Carl Meyer
b8a8066ac4
Fixed duplicate-named contrib.sessions tests, and removed unused import (cleanup from doctest conversion).
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-31 18:37:28 +00:00
Jannis Leidel
ddb9df78a6
Added new translation files to sessions contrib app.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15270 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-21 19:19:44 +00:00
Russell Keith-Magee
993612c84d
Fixed #15026 -- Added cleanup to the invalid key session tests; when using Memcached as a cache backend, the cache-backed session backends would fail on the second run due to leftover cache artefacts. Thanks to jsdalton for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15235 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-17 14:03:19 +00:00
Russell Keith-Magee
78be884ea7
Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the suggestion, and rodolfo for the draft patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-26 13:30:50 +00:00
Luke Plant
f6363bc628
Fixed potential circular import problem.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14564 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-14 23:35:16 +00:00
Luke Plant
0324151bec
Fixed #14685 - incompatible code in contrib.sessions.models
...
Thanks to PaulM for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14562 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-14 22:23:46 +00:00
Russell Keith-Magee
ea85d4303d
Fixed #14231 -- Added an index to the expire_date column on the Session model. Thanks to joeri for the report, via Frodo from Medid.
...
This won't affect any existing session tables; see the release notes for migration instructions.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14378 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28 11:56:37 +00:00
Luke Plant
45c7f427ce
Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
...
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.
In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.
All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.
There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee
121d2e3678
Fixed #12991 -- Added unittest2 support. Thanks to PaulM for the draft patch, and to Luke, Karen, Justin, Alex, Łukasz Rekucki, and Chuck Harmston for their help testing and reviewing the final patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14139 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:55:17 +00:00
Russell Keith-Magee
a904e55859
Fixed #11509 -- Modified usage of "Web" to match our style guide in various documentation, comments and code. Thanks to timo and Simon Meers for the work on the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14069 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-09 08:12:50 +00:00
Russell Keith-Magee
597e03cd74
Fixed #14096 -- Corrected Python 2.4 syntax issue. Thanks to PaulM for the report.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13579 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-14 12:11:02 +00:00