Commit bda21e2b authored by Aymeric Augustin's avatar Aymeric Augustin
Browse files

Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478. 

This also removes the implicit initialization of the session key on the first access in favor of explicit initialization.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@17155 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent fb7ab773

django/contrib/sessions/backends/base.py

+14 −16
Original line number Diff line number Diff line
@@ -54,12 +54,6 @@ class SessionBase(object): 
        del self._session[key]

        self.modified = True



    def keys(self):

        return self._session.keys()



    def items(self):

        return self._session.items()



    def get(self, key, default=None):

        return self._session.get(key, default)
@@ -116,9 +110,15 @@ class SessionBase(object): 
    def has_key(self, key):

        return key in self._session



    def keys(self):

        return self._session.keys()



    def values(self):

        return self._session.values()



    def items(self):

        return self._session.items()



    def iterkeys(self):

        return self._session.iterkeys()
@@ -145,7 +145,7 @@ class SessionBase(object): 
        except AttributeError:

            # No getpid() in Jython, for example

            pid = 1

        while 1:

        while True:

            session_key = hashlib.md5("%s%s%s%s"

                    % (randrange(0, MAX_SESSION_KEY), pid, time.time(),

                       settings.SECRET_KEY)).hexdigest()
@@ -153,17 +153,15 @@ class SessionBase(object): 
                break

        return session_key



    def _get_session_key(self):

        if self._session_key:

            return self._session_key

        else:

    def _get_or_create_session_key(self):

        if self._session_key is None:

            self._session_key = self._get_new_session_key()

        return self._session_key



    def _set_session_key(self, session_key):

        self._session_key = session_key

    def _get_session_key(self):

        return self._session_key



    session_key = property(_get_session_key, _set_session_key)

    session_key = property(_get_session_key)



    def _get_session(self, no_load=False):

        """
@@ -174,7 +172,7 @@ class SessionBase(object): 
        try:

            return self._session_cache

        except AttributeError:

            if self._session_key is None or no_load:

            if self.session_key is None or no_load:

                self._session_cache = {}

            else:

                self._session_cache = self.load()

django/contrib/sessions/backends/cache.py

+11 −7
Original line number Diff line number Diff line
@@ -11,8 +11,12 @@ class SessionStore(SessionBase): 
        self._cache = cache

        super(SessionStore, self).__init__(session_key)



    @property

    def cache_key(self):

        return KEY_PREFIX + self._get_or_create_session_key()



    def load(self):

        session_data = self._cache.get(KEY_PREFIX + self.session_key)

        session_data = self._cache.get(self.cache_key)

        if session_data is not None:

            return session_data

        self.create()
@@ -25,7 +29,7 @@ class SessionStore(SessionBase): 
        # and then raise an exception. That's the risk you shoulder if using

        # cache backing.

        for i in xrange(10000):

            self.session_key = self._get_new_session_key()

            self._session_key = self._get_new_session_key()

            try:

                self.save(must_create=True)

            except CreateError:
@@ -39,7 +43,8 @@ class SessionStore(SessionBase): 
            func = self._cache.add

        else:

            func = self._cache.set

        result = func(KEY_PREFIX + self.session_key, self._get_session(no_load=must_create),

        result = func(self.cache_key,

                      self._get_session(no_load=must_create),

                      self.get_expiry_age())

        if must_create and not result:

            raise CreateError
@@ -49,8 +54,7 @@ class SessionStore(SessionBase): 


    def delete(self, session_key=None):

        if session_key is None:

            if self._session_key is None:

            if self.session_key is None:

                return

            session_key = self._session_key

            session_key = self.session_key

        self._cache.delete(KEY_PREFIX + session_key)

django/contrib/sessions/backends/cached_db.py

+12 −6
Original line number Diff line number Diff line
@@ -16,12 +16,15 @@ class SessionStore(DBStore): 
    def __init__(self, session_key=None):

        super(SessionStore, self).__init__(session_key)



    @property

    def cache_key(self):

        return KEY_PREFIX + self._get_or_create_session_key()



    def load(self):

        data = cache.get(KEY_PREFIX + self.session_key, None)

        data = cache.get(self.cache_key, None)

        if data is None:

            data = super(SessionStore, self).load()

            cache.set(KEY_PREFIX + self.session_key, data, 

                      settings.SESSION_COOKIE_AGE)

            cache.set(self.cache_key, data, settings.SESSION_COOKIE_AGE)

        return data



    def exists(self, session_key):
@@ -29,12 +32,15 @@ class SessionStore(DBStore): 


    def save(self, must_create=False):

        super(SessionStore, self).save(must_create)

        cache.set(KEY_PREFIX + self.session_key, self._session, 

                  settings.SESSION_COOKIE_AGE)

        cache.set(self.cache_key, self._session, settings.SESSION_COOKIE_AGE)



    def delete(self, session_key=None):

        super(SessionStore, self).delete(session_key)

        cache.delete(KEY_PREFIX + (session_key or self.session_key))

        if session_key is None:

            if self.session_key is None:

                return

            session_key = self.session_key

        cache.delete(KEY_PREFIX + session_key)



    def flush(self):

        """

django/contrib/sessions/backends/db.py

+6 −6
Original line number Diff line number Diff line
@@ -32,7 +32,7 @@ class SessionStore(SessionBase): 


    def create(self):

        while True:

            self.session_key = self._get_new_session_key()

            self._session_key = self._get_new_session_key()

            try:

                # Save immediately to ensure we have a unique entry in the

                # database.
@@ -52,7 +52,7 @@ class SessionStore(SessionBase): 
        entry).

        """

        obj = Session(

            session_key = self.session_key,

            session_key=self._get_or_create_session_key(),

            session_data=self.encode(self._get_session(no_load=must_create)),

            expire_date=self.get_expiry_date()

        )
@@ -68,9 +68,9 @@ class SessionStore(SessionBase): 


    def delete(self, session_key=None):

        if session_key is None:

            if self._session_key is None:

            if self.session_key is None:

                return

            session_key = self._session_key

            session_key = self.session_key

        try:

            Session.objects.get(session_key=session_key).delete()

        except Session.DoesNotExist:

django/contrib/sessions/backends/file.py

+3 −3
Original line number Diff line number Diff line
@@ -33,7 +33,7 @@ class SessionStore(SessionBase): 
        Get the file associated with this session key.

        """

        if session_key is None:

            session_key = self.session_key

            session_key = self._get_or_create_session_key()



        # Make sure we're not vulnerable to directory traversal. Session keys

        # should always be md5s, so they should never contain directory
@@ -135,9 +135,9 @@ class SessionStore(SessionBase): 


    def delete(self, session_key=None):

        if session_key is None:

            if self._session_key is None:

            if self.session_key is None:

                return

            session_key = self._session_key

            session_key = self.session_key

        try:

            os.unlink(self._key_to_file(session_key))

        except OSError: