diff options
| author | Tim Graham <timograham@gmail.com> | 2015-08-05 16:51:42 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-08-18 08:03:43 -0400 |
| commit | 8cc41ce7a7a8f6bebfdd89d5ab276cd0109f4fc5 (patch) | |
| tree | 4561241b0fae38ec47942121bf9f5edff5180ced /tests | |
| parent | b0ab74dfcaaf92ee222b30295e2e9559bdbb8212 (diff) | |
Fixed DoS possiblity in contrib.auth.views.logout()
Thanks Florian Apolloner and Carl Meyer for review.
This is a security fix.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/sessions_tests/tests.py | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index 6af969f70c..713ff9e553 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -678,6 +678,23 @@ class SessionMiddlewareTests(TestCase): str(response.cookies[settings.SESSION_COOKIE_NAME]) ) + def test_flush_empty_without_session_cookie_doesnt_set_cookie(self): + request = RequestFactory().get('/') + response = HttpResponse('Session test') + middleware = SessionMiddleware() + + # Simulate a request that ends the session + middleware.process_request(request) + request.session.flush() + + # Handle the response through the middleware + response = middleware.process_response(request, response) + + # A cookie should not be set. + self.assertEqual(response.cookies, {}) + # The session is accessed so "Vary: Cookie" should be set. + self.assertEqual(response['Vary'], 'Cookie') + # Don't need DB flushing for these tests, so can use unittest.TestCase as base class class CookieSessionTests(SessionTestsMixin, unittest.TestCase): |
