Alex Gaynor
7548aa8ffd
More attacking E302 violators
2013-11-02 13:12:09 -07:00
Preston Holmes
d228c1192e
Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
...
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Erik Romijn
f88700d610
Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On File Backend Only
2013-05-19 15:33:05 +02:00
Joeri Bekker
b9cc61021a
Fixed #9084 - Best approach for an OS to atomically rename the session file.
2013-02-24 14:21:40 +01:00
Aymeric Augustin
d913a8b412
Fixed #19356 -- Increased session key entropy.
2012-11-29 16:36:43 +01:00
Aymeric Augustin
11fd00c46e
Fixed #19254 -- Bug in SESSION_FILE_PATH handling.
...
Thanks simonb for the report.
Refs #18194 .
2012-11-06 10:19:14 +01:00
Aymeric Augustin
5fec97b9df
Fixed #18194 -- Expiration of file-based sessions
...
* Prevented stale session files from being loaded
* Added removal of stale session files in django-admin.py clearsessions
Thanks ej for the report, crodjer and Elvard for their inputs.
2012-10-28 09:19:38 +01:00
Florian Apolloner
518af78e21
Removed unneeded smart_bytes import which was introduced in f2fff84bc
.
2012-08-15 17:33:21 +02:00
Florian Apolloner
f2fff84bc3
[py3] fixed session file backend.
2012-08-15 14:20:44 +02:00
Claude Paroz
865cd35c9b
Made more extensive usage of context managers with open.
2012-05-05 14:06:36 +02:00
Claude Paroz
3904b74a3f
Fixed #18013 -- Use the new 'as' syntax for exceptions.
...
Thanks Clueless for the initial patch.
Note that unittest has been purposely left out (external package only used by Python 2.6).
2012-04-29 20:57:15 +02:00
Aymeric Augustin
bda21e2b9d
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478 .
...
This also removes the implicit initialization of the session key on the first access in favor of explicit initialization.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-27 17:52:24 +00:00
Jannis Leidel
fb590bfa9b
Replaced `has_key()` calls with `in` to ease Python 3 port. Thanks, Martin von Löwis.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16740 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 19:33:40 +00:00
Alex Gaynor
6ca7c9c495
Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:13:24 +00:00
Luke Plant
5eece23296
Converted sessions tests from doctest to unittest.
...
Also made the FileSession backend consistent with other backends in one
corner case uncovered by the conversion, namely that the backend should
create a new key if the one passed in is invalid.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13482 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-05 11:49:58 +00:00
Jacob Kaplan-Moss
89633c3077
Fixed a small oversight in [8750]; thanks for the sharp eyes, Warren. Fixes #8616 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8812 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-01 20:25:16 +00:00
Jacob Kaplan-Moss
eebc7caa63
Fixed #8616 (again): prevent a race condition in the session file backend. Many thanks to Warren Smith for help and the eventual fix.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-30 20:50:41 +00:00
Malcolm Tredinnick
3717e3bba3
Reverted #8688 for now, since it merely introduced different bugs, rather than
...
fixing the problem. We have a plan B (and plan C, if needed), so this will be
fixed in a different way.
Refs #8616 .
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 17:32:21 +00:00
Malcolm Tredinnick
02f86a1c7c
Fixed #8616 -- Fixed a race condition in the file-based session backend.
...
Thanks to warren@wandrsmith.net for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8688 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 01:44:11 +00:00
Malcolm Tredinnick
eb85af1865
Fixed #8457 -- Fixed a missing import.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8451 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-20 21:12:45 +00:00
Malcolm Tredinnick
0d48087a53
Made a few small tweaks to reduce persistent storage accesses in the session
...
backend. Refs #8311 , although doesn't fix the problem there.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 14:59:11 +00:00
Malcolm Tredinnick
9e423b51e3
Fixed #8314 -- Fixed an infinite loop caused when submitting a session key (via
...
a cookie) with no corresponding entry in the database.
This only affected the database backend, but I've applied the same fix to all
three backends for robustness.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 19:43:08 +00:00
Malcolm Tredinnick
9d83444f16
Fixed #6984 -- Make sure to load session data from the file (if necessary)
...
prior to truncating it during a save.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8344 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:58:09 +00:00
Malcolm Tredinnick
5e8efa9a60
Implemented a flush() method on sessions that cleans out the session and
...
regenerates the key. Used to ensure the caller gets a fresh session at logout,
for example.
Based on a patch from mrts. Refs #7515 .
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8342 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:46 +00:00
Malcolm Tredinnick
af7b6475ca
Added guaranteed atomic creation of new session objects. Slightly backwards
...
incompatible for custom session backends.
Whilst we were in the neighbourhood, use a larger range of session key values
to save a small amount of time and use the hardware-base random numbers where
available (transparently falls back to pseudo-RNG otherwise).
Fixed #1080
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:18 +00:00
Gary Wilson Jr
5db4d60215
Several Django styling fixes in the `contrib.sessions` app.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7725 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-23 05:08:07 +00:00
Malcolm Tredinnick
9e47cc2e51
Fixed #5507 -- Use a more portable way to get at the system's tmpdir (fixes a
...
problem with the default on Windows). Thanks, Philippe Raoult.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7329 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-03-20 06:43:58 +00:00
Malcolm Tredinnick
041e24dbde
Fixed a subtle corner case whereby sending a bad session ID generates new (unused) session entries in the database table.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7001 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-01-06 12:53:09 +00:00
Jacob Kaplan-Moss
602b7bca7a
Fixed #6082 : file-based sessions now verify that SESSION_FILE_PATH is a valid storage location, and raise ImproperlyConfigured if not. Thanks, jags78.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6889 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-04 20:24:22 +00:00
Malcolm Tredinnick
ae75958820
Fixed #5501 -- Fixed Python 2.3 and 2.4 incompatibility. Thanks, brosner.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6348 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-16 02:03:46 +00:00
Jacob Kaplan-Moss
bcf7e9a9fe
Fixed #2066 : session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-15 21:29:14 +00:00