Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Session Initializer Security Flaw Fix #109
Updating session code to create a new copy of the initializer object with each new session. Caused major security issues at my company. This flaw allowed new users to log in as the last session used by Web.py.
I used deepcopy, because we set our initializer to a nested dictionary and normal copy() doesn't cut it.
This comment has been minimized.
This comment has been minimized.Show comment Hide comment
I'm going to merge this because it seems harmless, even though I've never looked at the session code before.
If I read it correctly, it only affects people who pass an initializer dictionary containing items that need to be deepcopy'd, which I presume anyone who tries will quickly notice, so I'm not going to call a five-alarm security alert, but let me know if I'm missing something.