diff options
| author | Tim Graham <timograham@gmail.com> | 2015-08-05 16:51:42 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-08-18 08:15:15 -0400 |
| commit | 2eb86b01d7b59be06076f6179a454d0fd0afaff6 (patch) | |
| tree | 66211d34d5a0ee5e3e9db148539dbc2395e32176 /tests | |
| parent | 048bccb1bea6e13113f6d5fee7b311604ff2ea1f (diff) | |
[1.8.x] Fixed DoS possiblity in contrib.auth.views.logout()
Thanks Florian Apolloner and Carl Meyer for review.
This is a security fix.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/sessions_tests/tests.py | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index a1aab37273..220ddb2eda 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -660,6 +660,23 @@ class SessionMiddlewareTests(TestCase): str(response.cookies[settings.SESSION_COOKIE_NAME]) ) + def test_flush_empty_without_session_cookie_doesnt_set_cookie(self): + request = RequestFactory().get('/') + response = HttpResponse('Session test') + middleware = SessionMiddleware() + + # Simulate a request that ends the session + middleware.process_request(request) + request.session.flush() + + # Handle the response through the middleware + response = middleware.process_response(request, response) + + # A cookie should not be set. + self.assertEqual(response.cookies, {}) + # The session is accessed so "Vary: Cookie" should be set. + self.assertEqual(response['Vary'], 'Cookie') + # Don't need DB flushing for these tests, so can use unittest.TestCase as base class class CookieSessionTests(SessionTestsMixin, unittest.TestCase): |
