#12909: Session Middleware ignores DEBUG setting - Potential Security Issue
-------------------------------------+--------------------------------------
Reporter: jhovanny | Owner: nobody
Status: new | Milestone: 1.2
Component: django.contrib.sessions | Version: 1.2-beta
Keywords: | Stage: Unreviewed
Has_patch: 0 |
-------------------------------------+--------------------------------------
If there is an error connecting to the session database, the session
middleware throws an Exception that's visible regardless of the DEBUG
setting. The stack trace appears in a blank page (non-conforming to the
standard debug template). To reproduce this ticket, drop the
django_session table and try to login to any django application. The
expected behavior is not to show a stack trace when DEBUG=False
{{{
Traceback (most recent call last):
File "/usr/local/lib/python2.6/dist-
packages/django/core/servers/basehttp.py", line 280, in run
self.result = application(self.environ, self.start_response)
File "/usr/local/lib/python2.6/dist-
packages/django/core/servers/basehttp.py", line 674, in __call__
return self.application(environ, start_response)
File "/usr/local/lib/python2.6/dist-
packages/django/core/handlers/wsgi.py", line 245, in __call__
response = middleware_method(request, response)
File "/usr/local/lib/python2.6/dist-
packages/django/contrib/sessions/middleware.py", line 36, in
process_response
request.session.save()
File "/usr/local/lib/python2.6/dist-
packages/django/contrib/sessions/backends/db.py", line 57, in save
session_key = self.session_key,
File "/usr/local/lib/python2.6/dist-
packages/django/contrib/sessions/backends/base.py", line 152, in
_get_session_key
self._session_key = self._get_new_session_key()
File "/usr/local/lib/python2.6/dist-
packages/django/contrib/sessions/backends/base.py", line 144, in
_get_new_session_key
if not self.exists(session_key):
File "/usr/local/lib/python2.6/dist-
packages/django/contrib/sessions/backends/db.py", line 30, in exists
Session.objects.get(session_key=session_key)
File "/usr/local/lib/python2.6/dist-
packages/django/db/models/manager.py", line 132, in get
return self.get_query_set().get(*args, **kwargs)
File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py",
line 334, in get
num = len(clone)
File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py",
line 79, in __len__
self._result_cache = list(self.iterator())
File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py",
line 267, in iterator
for row in compiler.results_iter():
File "/usr/local/lib/python2.6/dist-
packages/django/db/models/sql/compiler.py", line 685, in results_iter
for rows in self.execute_sql(MULTI):
File "/usr/local/lib/python2.6/dist-
packages/django/db/models/sql/compiler.py", line 740, in execute_sql
cursor.execute(sql, params)
File "/usr/local/lib/python2.6/dist-
packages/django/db/backends/util.py", line 19, in execute
return self.cursor.execute(sql, params)
File "/usr/local/lib/python2.6/dist-
packages/django/db/backends/postgresql_psycopg2/base.py", line 44, in
execute
return self.cursor.execute(query, args)
DatabaseError: relation "django_session" does not exist
LINE 1: ...ession_data", "django_session"."expire_date" FROM "django_se...
^
}}}
--
Ticket URL: <http://code.djangoproject.com/ticket/12909>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
