diff options
| author | Andrew Nester <anestor@sugarcrm.com> | 2016-10-25 14:23:14 +0300 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-11-01 07:15:56 -0400 |
| commit | 1ce04bcce0076360623ae164afd3541a5c031af2 (patch) | |
| tree | 66092aa8501aef9fcad03833c24c4072b75270ab /django | |
| parent | 9c2e1ad6a5f0ca98d68df7afdb13715921949c5a (diff) | |
Fixed #27363 -- Replaced unsafe redirect in SessionMiddleware with SuspiciousOperation.
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/sessions/middleware.py | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py index 5aaff43426..60faa2b328 100644 --- a/django/contrib/sessions/middleware.py +++ b/django/contrib/sessions/middleware.py @@ -3,7 +3,7 @@ from importlib import import_module from django.conf import settings from django.contrib.sessions.backends.base import UpdateError -from django.shortcuts import redirect +from django.core.exceptions import SuspiciousOperation from django.utils.cache import patch_vary_headers from django.utils.deprecation import MiddlewareMixin from django.utils.http import cookie_date @@ -57,10 +57,11 @@ class SessionMiddleware(MiddlewareMixin): try: request.session.save() except UpdateError: - # The user is now logged out; redirecting to same - # page will result in a redirect to the login page - # if required. - return redirect(request.path) + raise SuspiciousOperation( + "The request's session was deleted before the " + "request completed. The user may have logged " + "out in a concurrent request, for example." + ) response.set_cookie( settings.SESSION_COOKIE_NAME, request.session.session_key, max_age=max_age, |
