Commit Graph

70 Commits

Author SHA1 Message Date
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee 121d2e3678 Fixed #12991 -- Added unittest2 support. Thanks to PaulM for the draft patch, and to Luke, Karen, Justin, Alex, Łukasz Rekucki, and Chuck Harmston for their help testing and reviewing the final patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14139 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:55:17 +00:00
Russell Keith-Magee a904e55859 Fixed #11509 -- Modified usage of "Web" to match our style guide in various documentation, comments and code. Thanks to timo and Simon Meers for the work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14069 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-09 08:12:50 +00:00
Russell Keith-Magee 597e03cd74 Fixed #14096 -- Corrected Python 2.4 syntax issue. Thanks to PaulM for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13579 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-14 12:11:02 +00:00
Luke Plant 5eece23296 Converted sessions tests from doctest to unittest.
Also made the FileSession backend consistent with other backends in one
corner case uncovered by the conversion, namely that the backend should
create a new key if the one passed in is invalid.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13482 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-05 11:49:58 +00:00
Russell Keith-Magee 962defed0a Fixed #13200 -- Updated the DB session backend to make full use of routers, deprecating the need for the SESSION_DB_ALIAS setting. Thanks to rokclimb15 for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12844 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-25 10:29:06 +00:00
Adrian Holovaty 5ceed0a053 Changed a whole bunch of places to raise exception instances instead of old-style raising exception classes plus a comma. Good for the future Python 3 conversion
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12180 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 18:36:20 +00:00
Russell Keith-Magee ff60c5f9de Fixed #1142 -- Added multiple database support.
This monster of a patch is the result of Alex Gaynor's 2009 Google Summer of Code project.
Congratulations to Alex for a job well done.

Big thanks also go to:
 * Justin Bronn for keeping GIS in line with the changes,
 * Karen Tracey and Jani Tiainen for their help testing Oracle support
 * Brett Hoerner, Jon Loyens, and Craig Kimmerer for their feedback.
 * Malcolm Treddinick for his guidance during the GSoC submission process.
 * Simon Willison for driving the original design process
 * Cal Henderson for complaining about ponies he wanted.

... and everyone else too numerous to mention that helped to bring this feature into fruition.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11952 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-12-22 15:18:51 +00:00
Jacob Kaplan-Moss c485e236bd Fixed #8193: all dynamic imports in Django are now done correctly. I know this because Brett Cannon borrowed the time machine and brought Python 2.7's '`importlib` back for inclusion in Django. Thanks for the patch-from-the-future, Brett!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10088 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-18 16:55:59 +00:00
Malcolm Tredinnick d77236960a Fixed #9548 -- Correctly detect existence of empty sessions with cache backend.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9934 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-01 07:32:41 +00:00
Jacob Kaplan-Moss 299e1e814f Fixed #6791: added a write-through cache session backend: session data is written through the cache to the database, but read from the cache for speed. Thanks to jhenry, mcroydon, and jdunck.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9727 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-01-10 22:18:14 +00:00
Jacob Kaplan-Moss b21ea0a836 More be-nice-to-the-buildbot: be better about cleaning up files created by the cache/session tests.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9224 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-10 21:41:12 +00:00
Malcolm Tredinnick a10fcbdb8b Fixed #9096 -- Fixed a slightly out-of-date comment.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-17 08:10:55 +00:00
Jacob Kaplan-Moss 89633c3077 Fixed a small oversight in [8750]; thanks for the sharp eyes, Warren. Fixes #8616.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8812 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-01 20:25:16 +00:00
Jacob Kaplan-Moss eebc7caa63 Fixed #8616 (again): prevent a race condition in the session file backend. Many thanks to Warren Smith for help and the eventual fix.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-30 20:50:41 +00:00
Malcolm Tredinnick 3717e3bba3 Reverted #8688 for now, since it merely introduced different bugs, rather than
fixing the problem. We have a plan B (and plan C, if needed), so this will be
fixed in a different way.

Refs #8616.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 17:32:21 +00:00
Malcolm Tredinnick 02f86a1c7c Fixed #8616 -- Fixed a race condition in the file-based session backend.
Thanks to warren@wandrsmith.net for the patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8688 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 01:44:11 +00:00
Malcolm Tredinnick ee28560997 Fixed #8311 -- Avoid an infinite loop with session key generation when using
the cache backend and memcached goes away (or is not running).


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8620 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-27 08:58:51 +00:00
Malcolm Tredinnick 213f294638 Avoid a crash when unencoding session data for the db backend. This is required
because some configurations of MySQL (with utf8_bin collation) will return
bytestring, rather than unicode data, which was causing problems previously.

Refs #8340.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8507 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 22:59:04 +00:00
Malcolm Tredinnick c8c159cbba When logging in, change the session key whilst preserving any existing
sesssion. This means the user will see their session preserved across a login
boundary, but somebody snooping the anonymous session key won't be able to view
the authenticated session data.

This is the final piece of the session key handling changes.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8459 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-21 13:54:53 +00:00
Malcolm Tredinnick eb85af1865 Fixed #8457 -- Fixed a missing import.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8451 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-20 21:12:45 +00:00
Malcolm Tredinnick 54f9a98713 Fixed #8351 -- Fixed the returned value when we attempt to load a cache-backed session object that doesn't alreayd exist.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8410 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-16 15:54:36 +00:00
Malcolm Tredinnick 0d48087a53 Made a few small tweaks to reduce persistent storage accesses in the session
backend. Refs #8311, although doesn't fix the problem there.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 14:59:11 +00:00
Malcolm Tredinnick 9e423b51e3 Fixed #8314 -- Fixed an infinite loop caused when submitting a session key (via
a cookie) with no corresponding entry in the database.

This only affected the database backend, but I've applied the same fix to all
three backends for robustness.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 19:43:08 +00:00
Gary Wilson Jr f9301fa8f4 Removed some testing code inadvertently commited in [8348].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8349 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 15:41:38 +00:00
Gary Wilson Jr 788de6b5fd Fixed #8206 -- Removed validate methods of Model and Model fields. They are are unsupported for 1.0 and will be replaced with more complete model validation (refs #6845).
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8348 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 15:37:43 +00:00
Malcolm Tredinnick 2da6628519 Fixed #8310 -- Actually use the SystemRandom RNG, if available, which fixes an
oversight from [8340]. The previous code worked, but this is what I really
intended.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8346 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 13:54:22 +00:00
Malcolm Tredinnick 9d83444f16 Fixed #6984 -- Make sure to load session data from the file (if necessary)
prior to truncating it during a save.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8344 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:58:09 +00:00
Malcolm Tredinnick 5e8efa9a60 Implemented a flush() method on sessions that cleans out the session and
regenerates the key. Used to ensure the caller gets a fresh session at logout,
for example.

Based on a patch from mrts. Refs #7515.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8342 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:46 +00:00
Malcolm Tredinnick 31ec68c5d9 Added a clear() method to sessions. Patch from mrts. Refs #7515.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8341 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:30 +00:00
Malcolm Tredinnick af7b6475ca Added guaranteed atomic creation of new session objects. Slightly backwards
incompatible for custom session backends.

Whilst we were in the neighbourhood, use a larger range of session key values
to save a small amount of time and use the hardware-base random numbers where
available (transparently falls back to pseudo-RNG otherwise).

Fixed #1080


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8340 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:18 +00:00
Gary Wilson Jr c85c8f8891 Fixed #7919 -- md5 and sha modules are deprecated since Python 2.5, use hashlib module when available. Patch from Karen Tracey.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-02 05:56:57 +00:00
Malcolm Tredinnick 004ff03a8e Removed TEST_COOKIE_NAME and TEST_COOKIE_VALUE constants from
sessions.middleware. They haven't been used here since the great refactor and
are duplicated in sessions.backends.base.SessionBase.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8156 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-30 21:55:47 +00:00
Adrian Holovaty 29f0e8182f Fixed #7847 -- Removed a whole bunch of unused imports from throughout the codebase. Thanks, julien
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8046 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-22 03:24:09 +00:00
Gary Wilson Jr 5db4d60215 Several Django styling fixes in the `contrib.sessions` app.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7725 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-23 05:08:07 +00:00
Russell Keith-Magee dc7f21daf7 Fixed #7429 -- Modified the Session base class a little more dictionary-like by adding update(), has_key(), values(), and iterator access methods. Thanks to Jeremy Dunck for the suggestion and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7687 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-18 12:07:46 +00:00
Jacob Kaplan-Moss 8d4f79a799 Fixed #2548: added get/set_expiry methods to session objects. Thanks, Amit Upadhyay and SmileyChris.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7586 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-07 20:28:06 +00:00
Malcolm Tredinnick 9e47cc2e51 Fixed #5507 -- Use a more portable way to get at the system's tmpdir (fixes a
problem with the default on Windows). Thanks, Philippe Raoult.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@7329 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-03-20 06:43:58 +00:00
Malcolm Tredinnick f1a24be01c Fixed #6481 -- Fixed a bunch of import problems (and some whitespace cleanups).
Found by Bastian Kleineidam with help from pyflakes. Thanks.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@7131 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-02-19 00:08:08 +00:00
Malcolm Tredinnick 041e24dbde Fixed a subtle corner case whereby sending a bad session ID generates new (unused) session entries in the database table.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7001 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-01-06 12:53:09 +00:00
Jacob Kaplan-Moss 35921e570b Added a test for [6889]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6890 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-04 20:29:43 +00:00
Jacob Kaplan-Moss 602b7bca7a Fixed #6082: file-based sessions now verify that SESSION_FILE_PATH is a valid storage location, and raise ImproperlyConfigured if not. Thanks, jags78.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6889 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-04 20:24:22 +00:00
Malcolm Tredinnick 49da9ab57e Fixed #6087 -- Added setdefault() support to the Session object. Thanks, Ben
Slavin.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6831 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-02 15:27:29 +00:00
Malcolm Tredinnick cf21274b1a Fixed #6081 -- Removed unused code. Thanks, Ben Slavin.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6796 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-01 18:10:14 +00:00
Gary Wilson Jr 8c442f21dc Fixed #5816 -- Fixed a regression from [6333] that generates incorrect cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-31 03:59:40 +00:00
Gary Wilson Jr a7a6a1b75d Fixed imports, indention, and a long line.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6628 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-29 23:55:08 +00:00
Malcolm Tredinnick 4c0d8d882d Fixed #4729 -- Restored functionality to the Session class so that popping a
value marks it as modified. This was accidentally lost in the changes in
[6333]. Thanks, __hawkeye__.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6558 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20 10:12:59 +00:00
Malcolm Tredinnick e172e7be57 Fixed #4724 -- Added support for configurable session cookie paths. Helps with
multiple Django installs under the same hostname. Thanks, frej and Graham
Dumpleton.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20 05:13:56 +00:00
Gary Wilson Jr e8c9e3a853 Fixed #5598 -- Restored needed imports that were removed in [6333]. Thanks, gav.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6425 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-25 23:16:11 +00:00
Adrian Holovaty 79dead9a24 Removed trailing whitespace in django/contrib/sessions/backends/base.py
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6388 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-20 04:35:03 +00:00