From df049ed77a4db67e45db5679bfc76a85d2a26680 Mon Sep 17 00:00:00 2001 From: Carl Meyer Date: Wed, 10 Jun 2015 15:45:20 -0600 Subject: Fixed #19324 -- Avoided creating a session record when loading the session. The session record is now only created if/when the session is modified. This prevents a potential DoS via creation of many empty session records. This is a security fix; disclosure to follow shortly. --- tests/sessions_tests/tests.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'tests') diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index 8a9e98e4a8..6af969f70c 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -178,6 +178,11 @@ class SessionTestsMixin(object): self.assertNotEqual(self.session.session_key, prev_key) self.assertEqual(list(self.session.items()), prev_data) + def test_save_doesnt_clear_data(self): + self.session['a'] = 'b' + self.session.save() + self.assertEqual(self.session['a'], 'b') + def test_invalid_key(self): # Submitting an invalid session key (either by guessing, or if the db has # removed the key) results in a new key being generated. @@ -331,6 +336,21 @@ class SessionTestsMixin(object): self.session.delete(old_session_key) self.session.delete(new_session_key) + def test_session_load_does_not_create_record(self): + """ + Loading an unknown session key does not create a session record. + + Creating session records on load is a DOS vulnerability. + """ + if self.backend is CookieSession: + raise unittest.SkipTest("Cookie backend doesn't have an external store to create records in.") + session = self.backend('someunknownkey') + session.load() + + self.assertFalse(session.exists(session.session_key)) + # provided unknown key was cycled, not reused + self.assertNotEqual(session.session_key, 'someunknownkey') + class DatabaseSessionTests(SessionTestsMixin, TestCase): -- cgit v1.3