summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorAndrew Nester <anestor@sugarcrm.com>2016-10-25 14:23:14 +0300
committerTim Graham <timograham@gmail.com>2016-11-01 07:15:56 -0400
commit1ce04bcce0076360623ae164afd3541a5c031af2 (patch)
tree66092aa8501aef9fcad03833c24c4072b75270ab /django
parent9c2e1ad6a5f0ca98d68df7afdb13715921949c5a (diff)
Fixed #27363 -- Replaced unsafe redirect in SessionMiddleware with SuspiciousOperation.
Diffstat (limited to 'django')
-rw-r--r--django/contrib/sessions/middleware.py11
1 files changed, 6 insertions, 5 deletions
diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py
index 5aaff43426..60faa2b328 100644
--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@@ -3,7 +3,7 @@ from importlib import import_module
from django.conf import settings
from django.contrib.sessions.backends.base import UpdateError
-from django.shortcuts import redirect
+from django.core.exceptions import SuspiciousOperation
from django.utils.cache import patch_vary_headers
from django.utils.deprecation import MiddlewareMixin
from django.utils.http import cookie_date
@@ -57,10 +57,11 @@ class SessionMiddleware(MiddlewareMixin):
try:
request.session.save()
except UpdateError:
- # The user is now logged out; redirecting to same
- # page will result in a redirect to the login page
- # if required.
- return redirect(request.path)
+ raise SuspiciousOperation(
+ "The request's session was deleted before the "
+ "request completed. The user may have logged "
+ "out in a concurrent request, for example."
+ )
response.set_cookie(
settings.SESSION_COOKIE_NAME,
request.session.session_key, max_age=max_age,