7548aa8ffd
More attacking E302 violators
2013-11-02 13:12:09 -07:00
d228c1192e
Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
...
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
f88700d610
Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On File Backend Only
2013-05-19 15:33:05 +02:00
b9cc61021a
Fixed #9084 - Best approach for an OS to atomically rename the session file.
2013-02-24 14:21:40 +01:00
d913a8b412
Fixed #19356 -- Increased session key entropy.
2012-11-29 16:36:43 +01:00
11fd00c46e
Fixed #19254 -- Bug in SESSION_FILE_PATH handling.
...
Thanks simonb for the report.
Refs #18194 .
2012-11-06 10:19:14 +01:00
5fec97b9df
Fixed #18194 -- Expiration of file-based sessions
...
* Prevented stale session files from being loaded
* Added removal of stale session files in django-admin.py clearsessions
Thanks ej for the report, crodjer and Elvard for their inputs.
2012-10-28 09:19:38 +01:00
518af78e21
Removed unneeded smart_bytes import which was introduced in f2fff84bc.
2012-08-15 17:33:21 +02:00
f2fff84bc3
[py3] fixed session file backend.
2012-08-15 14:20:44 +02:00
865cd35c9b
Made more extensive usage of context managers with open.
2012-05-05 14:06:36 +02:00
3904b74a3f
Fixed #18013 -- Use the new 'as' syntax for exceptions.
...
Thanks Clueless for the initial patch.
Note that unittest has been purposely left out (external package only used by Python 2.6).
2012-04-29 20:57:15 +02:00
bda21e2b9d
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478 .
...
This also removes the implicit initialization of the session key on the first access in favor of explicit initialization.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-27 17:52:24 +00:00
fb590bfa9b
Replaced `has_key()` calls with `in` to ease Python 3 port. Thanks, Martin von Löwis.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16740 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 19:33:40 +00:00
6ca7c9c495
Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:13:24 +00:00
5eece23296
Converted sessions tests from doctest to unittest.
...
Also made the FileSession backend consistent with other backends in one
corner case uncovered by the conversion, namely that the backend should
create a new key if the one passed in is invalid.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13482 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-05 11:49:58 +00:00
89633c3077
Fixed a small oversight in [8750]; thanks for the sharp eyes, Warren. Fixes #8616 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8812 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-01 20:25:16 +00:00
eebc7caa63
Fixed #8616 (again): prevent a race condition in the session file backend. Many thanks to Warren Smith for help and the eventual fix.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-30 20:50:41 +00:00
3717e3bba3
Reverted #8688 for now, since it merely introduced different bugs, rather than
...
fixing the problem. We have a plan B (and plan C, if needed), so this will be
fixed in a different way.
Refs #8616 .
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 17:32:21 +00:00
02f86a1c7c
Fixed #8616 -- Fixed a race condition in the file-based session backend.
...
Thanks to warren@wandrsmith.net for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8688 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 01:44:11 +00:00
eb85af1865
Fixed #8457 -- Fixed a missing import.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8451 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-20 21:12:45 +00:00
0d48087a53
Made a few small tweaks to reduce persistent storage accesses in the session
...
backend. Refs #8311 , although doesn't fix the problem there.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 14:59:11 +00:00
9e423b51e3
Fixed #8314 -- Fixed an infinite loop caused when submitting a session key (via
...
a cookie) with no corresponding entry in the database.
This only affected the database backend, but I've applied the same fix to all
three backends for robustness.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 19:43:08 +00:00
9d83444f16
Fixed #6984 -- Make sure to load session data from the file (if necessary)
...
prior to truncating it during a save.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8344 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:58:09 +00:00
5e8efa9a60
Implemented a flush() method on sessions that cleans out the session and
...
regenerates the key. Used to ensure the caller gets a fresh session at logout,
for example.
Based on a patch from mrts. Refs #7515 .
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8342 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:46 +00:00
af7b6475ca
Added guaranteed atomic creation of new session objects. Slightly backwards
...
incompatible for custom session backends.
Whilst we were in the neighbourhood, use a larger range of session key values
to save a small amount of time and use the hardware-base random numbers where
available (transparently falls back to pseudo-RNG otherwise).
Fixed #1080
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:18 +00:00
5db4d60215
Several Django styling fixes in the `contrib.sessions` app.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7725 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-23 05:08:07 +00:00
9e47cc2e51
Fixed #5507 -- Use a more portable way to get at the system's tmpdir (fixes a
...
problem with the default on Windows). Thanks, Philippe Raoult.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7329 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-03-20 06:43:58 +00:00
041e24dbde
Fixed a subtle corner case whereby sending a bad session ID generates new (unused) session entries in the database table.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7001 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-01-06 12:53:09 +00:00
602b7bca7a
Fixed #6082 : file-based sessions now verify that SESSION_FILE_PATH is a valid storage location, and raise ImproperlyConfigured if not. Thanks, jags78.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6889 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-04 20:24:22 +00:00
ae75958820
Fixed #5501 -- Fixed Python 2.3 and 2.4 incompatibility. Thanks, brosner.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6348 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-16 02:03:46 +00:00
bcf7e9a9fe
Fixed #2066 : session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-15 21:29:14 +00:00
Alex Gaynor
Preston Holmes
Erik Romijn
Joeri Bekker
Aymeric Augustin
Florian Apolloner
Claude Paroz
Jannis Leidel
Luke Plant
Jacob Kaplan-Moss
Malcolm Tredinnick
Gary Wilson Jr