Commit c0caac87 authored by Luke Plant's avatar Luke Plant
Browse files

Removed Django 1.2 compatibility fallback for session data integrity check hash. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15954 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 5fa11b00

django/contrib/sessions/backends/base.py

+3 −18
Original line number Diff line number Diff line
@@ -105,25 +105,10 @@ class SessionBase(object): 
            else:

                return pickle.loads(pickled)

        except Exception:

            # ValueError, SuspiciousOperation, unpickling exceptions

            # Fall back to Django 1.2 method

            # PendingDeprecationWarning <- here to remind us to

            # remove this fallback in Django 1.5

            try:

                return self._decode_old(session_data)

            except Exception:

                # Unpickling can cause a variety of exceptions. If something happens,

                # just return an empty dictionary (an empty session).

            # ValueError, SuspiciousOperation, unpickling exceptions. If any of

            # these happen, just return an empty dictionary (an empty session).

            return {}



    def _decode_old(self, session_data):

        encoded_data = base64.decodestring(session_data)

        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]

        if not constant_time_compare(hashlib.md5(pickled + settings.SECRET_KEY).hexdigest(),

                                     tamper_check):

            raise SuspiciousOperation("User tampered with session cookie.")

        return pickle.loads(pickled)



    def update(self, dict_):

        self._session.update(dict_)

        self.modified = True

django/contrib/sessions/tests.py

+0 −15
Original line number Diff line number Diff line 
import base64

from datetime import datetime, timedelta

import hashlib

import pickle

import shutil

import tempfile
@@ -252,18 +249,6 @@ class SessionTestsMixin(object): 
        encoded = self.session.encode(data)

        self.assertEqual(self.session.decode(encoded), data)



    def test_decode_django12(self):

        # Ensure we can decode values encoded using Django 1.2

        # Hard code the Django 1.2 method here:

        def encode(session_dict):

            pickled = pickle.dumps(session_dict, pickle.HIGHEST_PROTOCOL)

            pickled_md5 = hashlib.md5(pickled + settings.SECRET_KEY).hexdigest()

            return base64.encodestring(pickled + pickled_md5)



        data = {'a test key': 'a test value'}

        encoded = encode(data)

        self.assertEqual(self.session.decode(encoded), data)





class DatabaseSessionTests(SessionTestsMixin, TestCase):