Author: russellm
Date: 2011-09-09 18:28:40 -0700 (Fri, 09 Sep 2011)
New Revision: 16765
Modified:
django/branches/releases/1.2.X/django/contrib/sessions/backends/cache.py
django/branches/releases/1.2.X/django/contrib/sessions/backends/cached_db.py
Log:
[1.2.X] Corrected an issue which could allow attackers to manipulate session
data using the cache. A security announcement will be made shortly.
Backport of r16759 from trunk.
Modified:
django/branches/releases/1.2.X/django/contrib/sessions/backends/cache.py
===================================================================
--- django/branches/releases/1.2.X/django/contrib/sessions/backends/cache.py
2011-09-10 01:28:31 UTC (rev 16764)
+++ django/branches/releases/1.2.X/django/contrib/sessions/backends/cache.py
2011-09-10 01:28:40 UTC (rev 16765)
@@ -1,6 +1,8 @@
from django.contrib.sessions.backends.base import SessionBase, CreateError
from django.core.cache import cache
+KEY_PREFIX = "django.contrib.sessions.cache"
+
class SessionStore(SessionBase):
"""
A cache-based session store.
@@ -10,7 +12,7 @@
super(SessionStore, self).__init__(session_key)
def load(self):
- session_data = self._cache.get(self.session_key)
+ session_data = self._cache.get(KEY_PREFIX + self.session_key)
if session_data is not None:
return session_data
self.create()
@@ -37,13 +39,13 @@
func = self._cache.add
else:
func = self._cache.set
- result = func(self.session_key, self._get_session(no_load=must_create),
+ result = func(KEY_PREFIX + self.session_key,
self._get_session(no_load=must_create),
self.get_expiry_age())
if must_create and not result:
raise CreateError
def exists(self, session_key):
- if self._cache.has_key(session_key):
+ if self._cache.has_key(KEY_PREFIX + session_key):
return True
return False
@@ -52,5 +54,5 @@
if self._session_key is None:
return
session_key = self._session_key
- self._cache.delete(session_key)
+ self._cache.delete(KEY_PREFIX + session_key)
Modified:
django/branches/releases/1.2.X/django/contrib/sessions/backends/cached_db.py
===================================================================
---
django/branches/releases/1.2.X/django/contrib/sessions/backends/cached_db.py
2011-09-10 01:28:31 UTC (rev 16764)
+++
django/branches/releases/1.2.X/django/contrib/sessions/backends/cached_db.py
2011-09-10 01:28:40 UTC (rev 16765)
@@ -6,6 +6,8 @@
from django.contrib.sessions.backends.db import SessionStore as DBStore
from django.core.cache import cache
+KEY_PREFIX = "django.contrib.sessions.cached_db"
+
class SessionStore(DBStore):
"""
Implements cached, database backed sessions.
@@ -15,10 +17,11 @@
super(SessionStore, self).__init__(session_key)
def load(self):
- data = cache.get(self.session_key, None)
+ data = cache.get(KEY_PREFIX + self.session_key, None)
if data is None:
data = super(SessionStore, self).load()
- cache.set(self.session_key, data, settings.SESSION_COOKIE_AGE)
+ cache.set(KEY_PREFIX + self.session_key, data,
+ settings.SESSION_COOKIE_AGE)
return data
def exists(self, session_key):
@@ -26,11 +29,12 @@
def save(self, must_create=False):
super(SessionStore, self).save(must_create)
- cache.set(self.session_key, self._session, settings.SESSION_COOKIE_AGE)
+ cache.set(KEY_PREFIX + self.session_key, self._session,
+ settings.SESSION_COOKIE_AGE)
def delete(self, session_key=None):
super(SessionStore, self).delete(session_key)
- cache.delete(session_key or self.session_key)
+ cache.delete(KEY_PREFIX + (session_key or self.session_key))
def flush(self):
"""
@@ -39,4 +43,4 @@
"""
self.clear()
self.delete(self.session_key)
- self.create()
\ No newline at end of file
+ self.create()
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
