From 0324151bece5ab413250ada14428e41b6b59bf0b Mon Sep 17 00:00:00 2001
From: Luke Plant <L.Plant.98@cantab.net>
Date: Sun, 14 Nov 2010 22:23:46 +0000
Subject: [PATCH] Fixed #14685 - incompatible code in contrib.sessions.models

Thanks to PaulM for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14562 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/contrib/sessions/models.py | 21 ++++-----------------
 django/contrib/sessions/tests.py  | 27 +++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/django/contrib/sessions/models.py b/django/contrib/sessions/models.py
index 32cbc39451..f438707e40 100644
--- a/django/contrib/sessions/models.py
+++ b/django/contrib/sessions/models.py
@@ -3,18 +3,13 @@ import cPickle as pickle
 
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
-from django.conf import settings
-from django.utils.hashcompat import md5_constructor
-
 
 class SessionManager(models.Manager):
     def encode(self, session_dict):
         """
         Returns the given session dictionary pickled and encoded as a string.
         """
-        pickled = pickle.dumps(session_dict)
-        pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
-        return base64.encodestring(pickled + pickled_md5)
+        return SessionStore().encode(session_dict)
 
     def save(self, session_key, session_dict, expire_date):
         s = self.model(session_key, self.encode(session_dict), expire_date)
@@ -54,14 +49,6 @@ class Session(models.Model):
         verbose_name_plural = _('sessions')
 
     def get_decoded(self):
-        encoded_data = base64.decodestring(self.session_data)
-        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
-        if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
-            from django.core.exceptions import SuspiciousOperation
-            raise SuspiciousOperation("User tampered with session cookie.")
-        try:
-            return pickle.loads(pickled)
-        # Unpickling can cause a variety of exceptions. If something happens,
-        # just return an empty dictionary (an empty session).
-        except:
-            return {}
+        return SessionStore().decode(self.session_data)
+
+from django.contrib.sessions.backends.db import SessionStore
diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py
index c02b8807ef..9000714dc4 100644
--- a/django/contrib/sessions/tests.py
+++ b/django/contrib/sessions/tests.py
@@ -263,6 +263,33 @@ class DatabaseSessionTests(SessionTestsMixin, TestCase):
 
     backend = DatabaseSession
 
+    def test_session_get_decoded(self):
+        """
+        Test we can use Session.get_decoded to retrieve data stored
+        in normal way
+        """
+        self.session['x'] = 1
+        self.session.save()
+
+        s = Session.objects.get(session_key=self.session.session_key)
+
+        self.assertEqual(s.get_decoded(), {'x': 1})
+
+    def test_sessionmanager_save(self):
+        """
+        Test SessionManager.save method
+        """
+        # Create a session
+        self.session['y'] = 1
+        self.session.save()
+
+        s = Session.objects.get(session_key=self.session.session_key)
+        # Change it
+        Session.objects.save(s.session_key, {'y':2}, s.expire_date)
+        # Clear cache, so that it will be retrieved from DB
+        del self.session._session_cache
+        self.assertEqual(self.session['y'], 2)
+
 
 class CacheDBSessionTests(SessionTestsMixin, TestCase):