diff options
| author | Carl Meyer <carl@oddbird.net> | 2015-06-10 15:45:20 -0600 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-07-08 15:23:03 -0400 |
| commit | df049ed77a4db67e45db5679bfc76a85d2a26680 (patch) | |
| tree | 64bbcfba5544a053fc35e59a940ec6d1163ad76d /django | |
| parent | 125eaa19b2e840aa3467f85f004305617a32d141 (diff) | |
Fixed #19324 -- Avoided creating a session record when loading the session.
The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/sessions/backends/cache.py | 6 | ||||
| -rw-r--r-- | django/contrib/sessions/backends/cached_db.py | 4 | ||||
| -rw-r--r-- | django/contrib/sessions/backends/db.py | 5 | ||||
| -rw-r--r-- | django/contrib/sessions/backends/file.py | 5 |
4 files changed, 12 insertions, 8 deletions
diff --git a/django/contrib/sessions/backends/cache.py b/django/contrib/sessions/backends/cache.py index 9ee8351930..9be47e00a1 100644 --- a/django/contrib/sessions/backends/cache.py +++ b/django/contrib/sessions/backends/cache.py @@ -27,7 +27,7 @@ class SessionStore(SessionBase): session_data = None if session_data is not None: return session_data - self.create() + self._session_key = None return {} def create(self): @@ -49,6 +49,8 @@ class SessionStore(SessionBase): "It is likely that the cache is unavailable.") def save(self, must_create=False): + if self.session_key is None: + return self.create() if must_create: func = self._cache.add else: @@ -60,7 +62,7 @@ class SessionStore(SessionBase): raise CreateError def exists(self, session_key): - return (KEY_PREFIX + session_key) in self._cache + return session_key and (KEY_PREFIX + session_key) in self._cache def delete(self, session_key=None): if session_key is None: diff --git a/django/contrib/sessions/backends/cached_db.py b/django/contrib/sessions/backends/cached_db.py index 9257e2ba56..bc9a55fd9d 100644 --- a/django/contrib/sessions/backends/cached_db.py +++ b/django/contrib/sessions/backends/cached_db.py @@ -51,12 +51,12 @@ class SessionStore(DBStore): logger = logging.getLogger('django.security.%s' % e.__class__.__name__) logger.warning(force_text(e)) - self.create() + self._session_key = None data = {} return data def exists(self, session_key): - if (KEY_PREFIX + session_key) in self._cache: + if session_key and (KEY_PREFIX + session_key) in self._cache: return True return super(SessionStore, self).exists(session_key) diff --git a/django/contrib/sessions/backends/db.py b/django/contrib/sessions/backends/db.py index 30e2675b3b..0fba3ec178 100644 --- a/django/contrib/sessions/backends/db.py +++ b/django/contrib/sessions/backends/db.py @@ -26,7 +26,7 @@ class SessionStore(SessionBase): logger = logging.getLogger('django.security.%s' % e.__class__.__name__) logger.warning(force_text(e)) - self.create() + self._session_key = None return {} def exists(self, session_key): @@ -43,7 +43,6 @@ class SessionStore(SessionBase): # Key wasn't unique. Try again. continue self.modified = True - self._session_cache = {} return def save(self, must_create=False): @@ -53,6 +52,8 @@ class SessionStore(SessionBase): create a *new* entry (as opposed to possibly updating an existing entry). """ + if self.session_key is None: + return self.create() obj = Session( session_key=self._get_or_create_session_key(), session_data=self.encode(self._get_session(no_load=must_create)), diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py index 10d163acc4..41469c4a26 100644 --- a/django/contrib/sessions/backends/file.py +++ b/django/contrib/sessions/backends/file.py @@ -97,7 +97,7 @@ class SessionStore(SessionBase): self.delete() self.create() except (IOError, SuspiciousOperation): - self.create() + self._session_key = None return session_data def create(self): @@ -108,10 +108,11 @@ class SessionStore(SessionBase): except CreateError: continue self.modified = True - self._session_cache = {} return def save(self, must_create=False): + if self.session_key is None: + return self.create() # Get the session data now, before we start messing # with the file it is stored within. session_data = self._get_session(no_load=must_create) |
