From 8cc41ce7a7a8f6bebfdd89d5ab276cd0109f4fc5 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Wed, 5 Aug 2015 16:51:42 -0400 Subject: Fixed DoS possiblity in contrib.auth.views.logout() Thanks Florian Apolloner and Carl Meyer for review. This is a security fix. --- tests/sessions_tests/tests.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'tests') diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index 6af969f70c..713ff9e553 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -678,6 +678,23 @@ class SessionMiddlewareTests(TestCase): str(response.cookies[settings.SESSION_COOKIE_NAME]) ) + def test_flush_empty_without_session_cookie_doesnt_set_cookie(self): + request = RequestFactory().get('/') + response = HttpResponse('Session test') + middleware = SessionMiddleware() + + # Simulate a request that ends the session + middleware.process_request(request) + request.session.flush() + + # Handle the response through the middleware + response = middleware.process_response(request, response) + + # A cookie should not be set. + self.assertEqual(response.cookies, {}) + # The session is accessed so "Vary: Cookie" should be set. + self.assertEqual(response['Vary'], 'Cookie') + # Don't need DB flushing for these tests, so can use unittest.TestCase as base class class CookieSessionTests(SessionTestsMixin, unittest.TestCase): -- cgit v1.3