Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #14685 - incompatible code in contrib.sessions.models

Thanks to PaulM for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14562 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 0324151bece5ab413250ada14428e41b6b59bf0b 1 parent 74f46c0
Luke Plant authored November 14, 2010
21  django/contrib/sessions/models.py
@@ -3,18 +3,13 @@
3 3
 
4 4
 from django.db import models
5 5
 from django.utils.translation import ugettext_lazy as _
6  
-from django.conf import settings
7  
-from django.utils.hashcompat import md5_constructor
8  
-
9 6
 
10 7
 class SessionManager(models.Manager):
11 8
     def encode(self, session_dict):
12 9
         """
13 10
         Returns the given session dictionary pickled and encoded as a string.
14 11
         """
15  
-        pickled = pickle.dumps(session_dict)
16  
-        pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
17  
-        return base64.encodestring(pickled + pickled_md5)
  12
+        return SessionStore().encode(session_dict)
18 13
 
19 14
     def save(self, session_key, session_dict, expire_date):
20 15
         s = self.model(session_key, self.encode(session_dict), expire_date)
@@ -54,14 +49,6 @@ class Meta:
54 49
         verbose_name_plural = _('sessions')
55 50
 
56 51
     def get_decoded(self):
57  
-        encoded_data = base64.decodestring(self.session_data)
58  
-        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
59  
-        if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
60  
-            from django.core.exceptions import SuspiciousOperation
61  
-            raise SuspiciousOperation("User tampered with session cookie.")
62  
-        try:
63  
-            return pickle.loads(pickled)
64  
-        # Unpickling can cause a variety of exceptions. If something happens,
65  
-        # just return an empty dictionary (an empty session).
66  
-        except:
67  
-            return {}
  52
+        return SessionStore().decode(self.session_data)
  53
+
  54
+from django.contrib.sessions.backends.db import SessionStore
27  django/contrib/sessions/tests.py
@@ -263,6 +263,33 @@ class DatabaseSessionTests(SessionTestsMixin, TestCase):
263 263
 
264 264
     backend = DatabaseSession
265 265
 
  266
+    def test_session_get_decoded(self):
  267
+        """
  268
+        Test we can use Session.get_decoded to retrieve data stored
  269
+        in normal way
  270
+        """
  271
+        self.session['x'] = 1
  272
+        self.session.save()
  273
+
  274
+        s = Session.objects.get(session_key=self.session.session_key)
  275
+
  276
+        self.assertEqual(s.get_decoded(), {'x': 1})
  277
+
  278
+    def test_sessionmanager_save(self):
  279
+        """
  280
+        Test SessionManager.save method
  281
+        """
  282
+        # Create a session
  283
+        self.session['y'] = 1
  284
+        self.session.save()
  285
+
  286
+        s = Session.objects.get(session_key=self.session.session_key)
  287
+        # Change it
  288
+        Session.objects.save(s.session_key, {'y':2}, s.expire_date)
  289
+        # Clear cache, so that it will be retrieved from DB
  290
+        del self.session._session_cache
  291
+        self.assertEqual(self.session['y'], 2)
  292
+
266 293
 
267 294
 class CacheDBSessionTests(SessionTestsMixin, TestCase):
268 295
 

0 notes on commit 0324151

Please sign in to comment.
Something went wrong with that request. Please try again.