Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Security fix. Announcement forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/0.91-bugfixes@8877 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 44debfeaa4473bd28872c735dd3d9afde6886752 1 parent f6c56d4
Jacob Kaplan-Moss authored September 02, 2008
1  django/contrib/admin/templates/admin/login.html
@@ -17,7 +17,6 @@
17 17
 <p class="aligned">
18 18
 <label for="id_password">{% trans 'Password:' %}</label> <input type="password" name="password" id="id_password" />
19 19
 <input type="hidden" name="this_is_the_login_form" value="1" />
20  
-<input type="hidden" name="post_data" value="{{ post_data }}" />{% comment %} <span class="help">{% trans 'Have you <a href="/password_reset/">forgotten your password</a>?' %}</span>{% endcomment %}
21 20
 </p>
22 21
 
23 22
 <div class="aligned ">
42  django/contrib/admin/views/decorators.py
@@ -4,42 +4,19 @@
4 4
 from django.utils import httpwrappers
5 5
 from django.utils.html import escape
6 6
 from django.utils.translation import gettext_lazy
7  
-import base64, datetime, md5
8  
-import cPickle as pickle
  7
+import base64, datetime
9 8
 
10 9
 ERROR_MESSAGE = gettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.")
11 10
 LOGIN_FORM_KEY = 'this_is_the_login_form'
12 11
 
13 12
 def _display_login_form(request, error_message=''):
14 13
     request.session.set_test_cookie()
15  
-    if request.POST and request.POST.has_key('post_data'):
16  
-        # User has failed login BUT has previously saved post data.
17  
-        post_data = request.POST['post_data']
18  
-    elif request.POST:
19  
-        # User's session must have expired; save their post data.
20  
-        post_data = _encode_post_data(request.POST)
21  
-    else:
22  
-        post_data = _encode_post_data({})
23 14
     return render_to_response('admin/login', {
24 15
         'title': _('Log in'),
25 16
         'app_path': escape(request.path),
26  
-        'post_data': post_data,
27 17
         'error_message': error_message
28 18
     }, context_instance=DjangoContext(request))
29 19
 
30  
-def _encode_post_data(post_data):
31  
-    pickled = pickle.dumps(post_data)
32  
-    pickled_md5 = md5.new(pickled + SECRET_KEY).hexdigest()
33  
-    return base64.encodestring(pickled + pickled_md5)
34  
-
35  
-def _decode_post_data(encoded_data):
36  
-    encoded_data = base64.decodestring(encoded_data)
37  
-    pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
38  
-    if md5.new(pickled + SECRET_KEY).hexdigest() != tamper_check:
39  
-        from django.core.exceptions import SuspiciousOperation
40  
-        raise SuspiciousOperation, "User may have tampered with session cookie."
41  
-    return pickle.loads(pickled)
42  
-
43 20
 def staff_member_required(view_func):
44 21
     """
45 22
     Decorator for views that checks that the user is logged in and is a staff
@@ -48,10 +25,6 @@ def staff_member_required(view_func):
48 25
     def _checklogin(request, *args, **kwargs):
49 26
         if not request.user.is_anonymous() and request.user.is_staff:
50 27
             # The user is valid. Continue to the admin page.
51  
-            if request.POST.has_key('post_data'):
52  
-                # User must have re-authenticated through a different window
53  
-                # or tab.
54  
-                request.POST = _decode_post_data(request.POST['post_data'])
55 28
             return view_func(request, *args, **kwargs)
56 29
 
57 30
         assert hasattr(request, 'session'), "The Django admin requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.middleware.sessions.SessionMiddleware'."
@@ -59,7 +32,7 @@ def _checklogin(request, *args, **kwargs):
59 32
         # If this isn't already the login page, display it.
60 33
         if not request.POST.has_key(LOGIN_FORM_KEY):
61 34
             if request.POST:
62  
-                message = _("Please log in again, because your session has expired. Don't worry: Your submission has been saved.")
  35
+                message = _("Please log in again, because your session has expired.")
63 36
             else:
64 37
                 message = ""
65 38
             return _display_login_form(request, message)
@@ -91,16 +64,7 @@ def _checklogin(request, *args, **kwargs):
91 64
                 request.session[users.SESSION_KEY] = user.id
92 65
                 user.last_login = datetime.datetime.now()
93 66
                 user.save()
94  
-                if request.POST.has_key('post_data'):
95  
-                    post_data = _decode_post_data(request.POST['post_data'])
96  
-                    if post_data and not post_data.has_key(LOGIN_FORM_KEY):
97  
-                        # overwrite request.POST with the saved post_data, and continue
98  
-                        request.POST = post_data
99  
-                        request.user = user
100  
-                        return view_func(request, *args, **kwargs)
101  
-                    else:
102  
-                        request.session.delete_test_cookie()
103  
-                        return httpwrappers.HttpResponseRedirect(request.path)
  67
+                return httpwrappers.HttpResponseRedirect(request.path)
104 68
             else:
105 69
                 return _display_login_form(request, ERROR_MESSAGE)
106 70
 

0 notes on commit 44debfe

Please sign in to comment.
Something went wrong with that request. Please try again.