Corrected an issue which could allow attackers to manipulate session data using the cache. A security announcement will be made shortly.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16759 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:48 +00:00 · 2011-09-10 00:46:48 +00:00 · 33076af6f2
parent 893cea211a
commit 33076af6f2
2 changed files with 15 additions and 9 deletions
--- a/django/contrib/sessions/backends/cache.py
+++ b/django/contrib/sessions/backends/cache.py
@ -1,6 +1,8 @@
 from django.contrib.sessions.backends.base import SessionBase, CreateError
 from django.core.cache import cache

+KEY_PREFIX = "django.contrib.sessions.cache"
+
 class SessionStore(SessionBase):
    """
    A cache-based session store.
@ -10,7 +12,7 @@ class SessionStore(SessionBase):
        super(SessionStore, self).__init__(session_key)

    def load(self):
-        session_data = self._cache.get(self.session_key)
+        session_data = self._cache.get(KEY_PREFIX + self.session_key)
        if session_data is not None:
            return session_data
        self.create()
@ -37,18 +39,18 @@ class SessionStore(SessionBase):
            func = self._cache.add
        else:
            func = self._cache.set
-        result = func(self.session_key, self._get_session(no_load=must_create),
+        result = func(KEY_PREFIX + self.session_key, self._get_session(no_load=must_create),
                self.get_expiry_age())
        if must_create and not result:
            raise CreateError

    def exists(self, session_key):
-        return session_key in self._cache
+        return (KEY_PREFIX + session_key) in self._cache

    def delete(self, session_key=None):
        if session_key is None:
            if self._session_key is None:
                return
            session_key = self._session_key
-        self._cache.delete(session_key)
+        self._cache.delete(KEY_PREFIX + session_key)

--- a/django/contrib/sessions/backends/cached_db.py
+++ b/django/contrib/sessions/backends/cached_db.py
@ -6,6 +6,8 @@ from django.conf import settings
 from django.contrib.sessions.backends.db import SessionStore as DBStore
 from django.core.cache import cache

+KEY_PREFIX = "django.contrib.sessions.cached_db"
+
 class SessionStore(DBStore):
    """
    Implements cached, database backed sessions.
@ -15,10 +17,11 @@ class SessionStore(DBStore):
        super(SessionStore, self).__init__(session_key)

    def load(self):
-        data = cache.get(self.session_key, None)
+        data = cache.get(KEY_PREFIX + self.session_key, None)
        if data is None:
            data = super(SessionStore, self).load()
-            cache.set(self.session_key, data, settings.SESSION_COOKIE_AGE)
+            cache.set(KEY_PREFIX + self.session_key, data, 
+                      settings.SESSION_COOKIE_AGE)
        return data

    def exists(self, session_key):
@ -26,11 +29,12 @@ class SessionStore(DBStore):

    def save(self, must_create=False):
        super(SessionStore, self).save(must_create)
-        cache.set(self.session_key, self._session, settings.SESSION_COOKIE_AGE)
+        cache.set(KEY_PREFIX + self.session_key, self._session, 
+                  settings.SESSION_COOKIE_AGE)

    def delete(self, session_key=None):
        super(SessionStore, self).delete(session_key)
-        cache.delete(session_key or self.session_key)
+        cache.delete(KEY_PREFIX + (session_key or self.session_key))

    def flush(self):
        """