mirror of
https://github.com/django/django.git
synced 2025-10-24 06:06:09 +00:00
Removed Django 1.2 compatibility fallback for session data integrity check hash.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15954 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
@@ -105,24 +105,9 @@ class SessionBase(object):
|
|||||||
else:
|
else:
|
||||||
return pickle.loads(pickled)
|
return pickle.loads(pickled)
|
||||||
except Exception:
|
except Exception:
|
||||||
# ValueError, SuspiciousOperation, unpickling exceptions
|
# ValueError, SuspiciousOperation, unpickling exceptions. If any of
|
||||||
# Fall back to Django 1.2 method
|
# these happen, just return an empty dictionary (an empty session).
|
||||||
# PendingDeprecationWarning <- here to remind us to
|
return {}
|
||||||
# remove this fallback in Django 1.5
|
|
||||||
try:
|
|
||||||
return self._decode_old(session_data)
|
|
||||||
except Exception:
|
|
||||||
# Unpickling can cause a variety of exceptions. If something happens,
|
|
||||||
# just return an empty dictionary (an empty session).
|
|
||||||
return {}
|
|
||||||
|
|
||||||
def _decode_old(self, session_data):
|
|
||||||
encoded_data = base64.decodestring(session_data)
|
|
||||||
pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
|
|
||||||
if not constant_time_compare(hashlib.md5(pickled + settings.SECRET_KEY).hexdigest(),
|
|
||||||
tamper_check):
|
|
||||||
raise SuspiciousOperation("User tampered with session cookie.")
|
|
||||||
return pickle.loads(pickled)
|
|
||||||
|
|
||||||
def update(self, dict_):
|
def update(self, dict_):
|
||||||
self._session.update(dict_)
|
self._session.update(dict_)
|
||||||
|
@@ -1,7 +1,4 @@
|
|||||||
import base64
|
|
||||||
from datetime import datetime, timedelta
|
from datetime import datetime, timedelta
|
||||||
import hashlib
|
|
||||||
import pickle
|
|
||||||
import shutil
|
import shutil
|
||||||
import tempfile
|
import tempfile
|
||||||
|
|
||||||
@@ -252,18 +249,6 @@ class SessionTestsMixin(object):
|
|||||||
encoded = self.session.encode(data)
|
encoded = self.session.encode(data)
|
||||||
self.assertEqual(self.session.decode(encoded), data)
|
self.assertEqual(self.session.decode(encoded), data)
|
||||||
|
|
||||||
def test_decode_django12(self):
|
|
||||||
# Ensure we can decode values encoded using Django 1.2
|
|
||||||
# Hard code the Django 1.2 method here:
|
|
||||||
def encode(session_dict):
|
|
||||||
pickled = pickle.dumps(session_dict, pickle.HIGHEST_PROTOCOL)
|
|
||||||
pickled_md5 = hashlib.md5(pickled + settings.SECRET_KEY).hexdigest()
|
|
||||||
return base64.encodestring(pickled + pickled_md5)
|
|
||||||
|
|
||||||
data = {'a test key': 'a test value'}
|
|
||||||
encoded = encode(data)
|
|
||||||
self.assertEqual(self.session.decode(encoded), data)
|
|
||||||
|
|
||||||
|
|
||||||
class DatabaseSessionTests(SessionTestsMixin, TestCase):
|
class DatabaseSessionTests(SessionTestsMixin, TestCase):
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user