diff options
| author | Carl Meyer <carl@oddbird.net> | 2015-06-10 15:45:20 -0600 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-07-08 15:23:03 -0400 |
| commit | df049ed77a4db67e45db5679bfc76a85d2a26680 (patch) | |
| tree | 64bbcfba5544a053fc35e59a940ec6d1163ad76d /tests/sessions_tests | |
| parent | 125eaa19b2e840aa3467f85f004305617a32d141 (diff) | |
Fixed #19324 -- Avoided creating a session record when loading the session.
The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'tests/sessions_tests')
| -rw-r--r-- | tests/sessions_tests/tests.py | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index 8a9e98e4a8..6af969f70c 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -178,6 +178,11 @@ class SessionTestsMixin(object): self.assertNotEqual(self.session.session_key, prev_key) self.assertEqual(list(self.session.items()), prev_data) + def test_save_doesnt_clear_data(self): + self.session['a'] = 'b' + self.session.save() + self.assertEqual(self.session['a'], 'b') + def test_invalid_key(self): # Submitting an invalid session key (either by guessing, or if the db has # removed the key) results in a new key being generated. @@ -331,6 +336,21 @@ class SessionTestsMixin(object): self.session.delete(old_session_key) self.session.delete(new_session_key) + def test_session_load_does_not_create_record(self): + """ + Loading an unknown session key does not create a session record. + + Creating session records on load is a DOS vulnerability. + """ + if self.backend is CookieSession: + raise unittest.SkipTest("Cookie backend doesn't have an external store to create records in.") + session = self.backend('someunknownkey') + session.load() + + self.assertFalse(session.exists(session.session_key)) + # provided unknown key was cycled, not reused + self.assertNotEqual(session.session_key, 'someunknownkey') + class DatabaseSessionTests(SessionTestsMixin, TestCase): |