From fbe2eead2fa9d808658ca582241bcacb02618840 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Sat, 10 Sep 2011 01:08:02 +0000 Subject: [PATCH] [1.3.X] Corrected an issue which could allow attackers to manipulate session data using the cache. A security announcement will be made shortly. Backport of r16759 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16762 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/sessions/backends/cache.py | 10 ++++++---- django/contrib/sessions/backends/cached_db.py | 14 +++++++++----- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/django/contrib/sessions/backends/cache.py b/django/contrib/sessions/backends/cache.py index ab0716dcb4460..b326b8b0d42b1 100644 --- a/django/contrib/sessions/backends/cache.py +++ b/django/contrib/sessions/backends/cache.py @@ -1,6 +1,8 @@ from django.contrib.sessions.backends.base import SessionBase, CreateError from django.core.cache import cache +KEY_PREFIX = "django.contrib.sessions.cache" + class SessionStore(SessionBase): """ A cache-based session store. @@ -10,7 +12,7 @@ def __init__(self, session_key=None): super(SessionStore, self).__init__(session_key) def load(self): - session_data = self._cache.get(self.session_key) + session_data = self._cache.get(KEY_PREFIX + self.session_key) if session_data is not None: return session_data self.create() @@ -37,13 +39,13 @@ def save(self, must_create=False): func = self._cache.add else: func = self._cache.set - result = func(self.session_key, self._get_session(no_load=must_create), + result = func(KEY_PREFIX + self.session_key, self._get_session(no_load=must_create), self.get_expiry_age()) if must_create and not result: raise CreateError def exists(self, session_key): - if self._cache.has_key(session_key): + if self._cache.has_key(KEY_PREFIX + session_key): return True return False @@ -52,5 +54,5 @@ def delete(self, session_key=None): if self._session_key is None: return session_key = self._session_key - self._cache.delete(session_key) + self._cache.delete(KEY_PREFIX + session_key) diff --git a/django/contrib/sessions/backends/cached_db.py b/django/contrib/sessions/backends/cached_db.py index 9e22c69228f00..465472d29c48a 100644 --- a/django/contrib/sessions/backends/cached_db.py +++ b/django/contrib/sessions/backends/cached_db.py @@ -6,6 +6,8 @@ from django.contrib.sessions.backends.db import SessionStore as DBStore from django.core.cache import cache +KEY_PREFIX = "django.contrib.sessions.cached_db" + class SessionStore(DBStore): """ Implements cached, database backed sessions. @@ -15,10 +17,11 @@ def __init__(self, session_key=None): super(SessionStore, self).__init__(session_key) def load(self): - data = cache.get(self.session_key, None) + data = cache.get(KEY_PREFIX + self.session_key, None) if data is None: data = super(SessionStore, self).load() - cache.set(self.session_key, data, settings.SESSION_COOKIE_AGE) + cache.set(KEY_PREFIX + self.session_key, data, + settings.SESSION_COOKIE_AGE) return data def exists(self, session_key): @@ -26,11 +29,12 @@ def exists(self, session_key): def save(self, must_create=False): super(SessionStore, self).save(must_create) - cache.set(self.session_key, self._session, settings.SESSION_COOKIE_AGE) + cache.set(KEY_PREFIX + self.session_key, self._session, + settings.SESSION_COOKIE_AGE) def delete(self, session_key=None): super(SessionStore, self).delete(session_key) - cache.delete(session_key or self.session_key) + cache.delete(KEY_PREFIX + (session_key or self.session_key)) def flush(self): """ @@ -39,4 +43,4 @@ def flush(self): """ self.clear() self.delete(self.session_key) - self.create() \ No newline at end of file + self.create()