Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #741 -- Made models.core.Session.get_decoded() fault-tolerant, …

…in case of funky pickled data. Thanks, kieranholland

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1099 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 557aa1572ce6b6e5428021c937fdef298dea700e 1 parent e19c9cc
Adrian Holovaty adrianholovaty authored
Showing with 8 additions and 4 deletions.
  1. +8 −4 django/models/core.py
12 django/models/core.py
View
@@ -1,3 +1,5 @@
+import base64, md5, random, sys
+import cPickle as pickle
from django.core import meta, validators
from django.utils.translation import gettext_lazy as _
@@ -107,9 +109,6 @@ def __repr__(self):
def get_absolute_url(self):
return self.url
-import base64, md5, random, sys
-import cPickle as pickle
-
class Session(meta.Model):
session_key = meta.CharField(_('session key'), maxlength=40, primary_key=True)
session_data = meta.TextField(_('session data'))
@@ -132,7 +131,12 @@ def get_decoded(self):
if md5.new(pickled + SECRET_KEY).hexdigest() != tamper_check:
from django.core.exceptions import SuspiciousOperation
raise SuspiciousOperation, "User tampered with session cookie."
- return pickle.loads(pickled)
+ try:
+ return pickle.loads(pickled)
+ # Unpickling can cause a variety of exceptions. If something happens,
+ # just return an empty dictionary (an empty session).
+ except:
+ return {}
def _module_encode(session_dict):
"Returns the given session dictionary pickled and encoded as a string."
Please sign in to comment.
Something went wrong with that request. Please try again.