+95
-8
lines changedFilter options
+95
-8
lines changed Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ def load(self):
27 27
session_data = None
28 28
if session_data is not None:
29 29
return session_data
30 -
self.create()
30 +
self._session_key = None
31 31
return {}
32 32 33 33
def create(self):
@@ -49,6 +49,8 @@ def create(self):
49 49
"It is likely that the cache is unavailable.")
50 50 51 51
def save(self, must_create=False):
52 +
if self.session_key is None:
53 +
return self.create()
52 54
if must_create:
53 55
func = self._cache.add
54 56
else:
@@ -60,7 +62,7 @@ def save(self, must_create=False):
60 62
raise CreateError
61 63 62 64
def exists(self, session_key):
63 -
return (KEY_PREFIX + session_key) in self._cache
65 +
return session_key and (KEY_PREFIX + session_key) in self._cache
64 66 65 67
def delete(self, session_key=None):
66 68
if session_key is None:
@@ -51,12 +51,12 @@ def load(self):
51 51
logger = logging.getLogger('django.security.%s' %
52 52
e.__class__.__name__)
53 53
logger.warning(force_text(e))
54 -
self.create()
54 +
self._session_key = None
55 55
data = {}
56 56
return data
57 57 58 58
def exists(self, session_key):
59 -
if (KEY_PREFIX + session_key) in self._cache:
59 +
if session_key and (KEY_PREFIX + session_key) in self._cache:
60 60
return True
61 61
return super(SessionStore, self).exists(session_key)
62 62
@@ -26,7 +26,7 @@ def load(self):
26 26
logger = logging.getLogger('django.security.%s' %
27 27
e.__class__.__name__)
28 28
logger.warning(force_text(e))
29 -
self.create()
29 +
self._session_key = None
30 30
return {}
31 31 32 32
def exists(self, session_key):
@@ -43,7 +43,6 @@ def create(self):
43 43
# Key wasn't unique. Try again.
44 44
continue
45 45
self.modified = True
46 -
self._session_cache = {}
47 46
return
48 47 49 48
def save(self, must_create=False):
@@ -53,6 +52,8 @@ def save(self, must_create=False):
53 52
create a *new* entry (as opposed to possibly updating an existing
54 53
entry).
55 54
"""
55 +
if self.session_key is None:
56 +
return self.create()
56 57
obj = Session(
57 58
session_key=self._get_or_create_session_key(),
58 59
session_data=self.encode(self._get_session(no_load=must_create)),
@@ -97,7 +97,7 @@ def load(self):
97 97
self.delete()
98 98
self.create()
99 99
except (IOError, SuspiciousOperation):
100 -
self.create()
100 +
self._session_key = None
101 101
return session_data
102 102 103 103
def create(self):
@@ -108,10 +108,11 @@ def create(self):
108 108
except CreateError:
109 109
continue
110 110
self.modified = True
111 -
self._session_cache = {}
112 111
return
113 112 114 113
def save(self, must_create=False):
114 +
if self.session_key is None:
115 +
return self.create()
115 116
# Get the session data now, before we start messing
116 117
# with the file it is stored within.
117 118
session_data = self._get_session(no_load=must_create)
@@ -5,3 +5,24 @@ Django 1.4.21 release notes
5 5
*July 8, 2015*
6 6 7 7
Django 1.4.21 fixes several security issues in 1.4.20.
8 + 9 +
Denial-of-service possibility by filling session store
10 +
======================================================
11 + 12 +
In previous versions of Django, the session backends created a new empty record
13 +
in the session storage anytime ``request.session`` was accessed and there was a
14 +
session key provided in the request cookies that didn't already have a session
15 +
record. This could allow an attacker to easily create many new session records
16 +
simply by sending repeated requests with unknown session keys, potentially
17 +
filling up the session store or causing other users' session records to be
18 +
evicted.
19 + 20 +
The built-in session backends now create a session record only if the session
21 +
is actually modified; empty session records are not created. Thus this
22 +
potential DoS is now only possible if the site chooses to expose a
23 +
session-modifying view to anonymous users.
24 + 25 +
As each built-in session backend was fixed separately (rather than a fix in the
26 +
core sessions framework), maintainers of third-party session backends should
27 +
check whether the same vulnerability is present in their backend and correct
28 +
it if so.
Original file line number Diff line number Diff line change
@@ -6,6 +6,27 @@ Django 1.7.9 release notes
6 6 7 7
Django 1.7.9 fixes several security issues and bugs in 1.7.8.
8 8 9 +
Denial-of-service possibility by filling session store
10 +
======================================================
11 + 12 +
In previous versions of Django, the session backends created a new empty record
13 +
in the session storage anytime ``request.session`` was accessed and there was a
14 +
session key provided in the request cookies that didn't already have a session
15 +
record. This could allow an attacker to easily create many new session records
16 +
simply by sending repeated requests with unknown session keys, potentially
17 +
filling up the session store or causing other users' session records to be
18 +
evicted.
19 + 20 +
The built-in session backends now create a session record only if the session
21 +
is actually modified; empty session records are not created. Thus this
22 +
potential DoS is now only possible if the site chooses to expose a
23 +
session-modifying view to anonymous users.
24 + 25 +
As each built-in session backend was fixed separately (rather than a fix in the
26 +
core sessions framework), maintainers of third-party session backends should
27 +
check whether the same vulnerability is present in their backend and correct
28 +
it if so.
29 + 9 30
Bugfixes
10 31
========
11 32
@@ -11,6 +11,27 @@ Also, ``django.utils.deprecation.RemovedInDjango20Warning`` was renamed to
11 11
1.11 (LTS), 2.0 (drops Python 2 support). For backwards compatibility,
12 12
``RemovedInDjango20Warning`` remains as an importable alias.
13 13 14 +
Denial-of-service possibility by filling session store
15 +
======================================================
16 + 17 +
In previous versions of Django, the session backends created a new empty record
18 +
in the session storage anytime ``request.session`` was accessed and there was a
19 +
session key provided in the request cookies that didn't already have a session
20 +
record. This could allow an attacker to easily create many new session records
21 +
simply by sending repeated requests with unknown session keys, potentially
22 +
filling up the session store or causing other users' session records to be
23 +
evicted.
24 + 25 +
The built-in session backends now create a session record only if the session
26 +
is actually modified; empty session records are not created. Thus this
27 +
potential DoS is now only possible if the site chooses to expose a
28 +
session-modifying view to anonymous users.
29 + 30 +
As each built-in session backend was fixed separately (rather than a fix in the
31 +
core sessions framework), maintainers of third-party session backends should
32 +
check whether the same vulnerability is present in their backend and correct
33 +
it if so.
34 + 14 35
Bugfixes
15 36
========
16 37
@@ -175,6 +175,11 @@ def test_cycle(self):
175 175
self.assertNotEqual(self.session.session_key, prev_key)
176 176
self.assertEqual(list(self.session.items()), prev_data)
177 177 178 +
def test_save_doesnt_clear_data(self):
179 +
self.session['a'] = 'b'
180 +
self.session.save()
181 +
self.assertEqual(self.session['a'], 'b')
182 + 178 183
def test_invalid_key(self):
179 184
# Submitting an invalid session key (either by guessing, or if the db has
180 185
# removed the key) results in a new key being generated.
@@ -313,6 +318,21 @@ def test_actual_expiry(self):
313 318
self.session.delete(old_session_key)
314 319
self.session.delete(new_session_key)
315 320 321 +
def test_session_load_does_not_create_record(self):
322 +
"""
323 +
Loading an unknown session key does not create a session record.
324 + 325 +
Creating session records on load is a DOS vulnerability.
326 +
"""
327 +
if self.backend is CookieSession:
328 +
raise unittest.SkipTest("Cookie backend doesn't have an external store to create records in.")
329 +
session = self.backend('someunknownkey')
330 +
session.load()
331 + 332 +
self.assertFalse(session.exists(session.session_key))
333 +
# provided unknown key was cycled, not reused
334 +
self.assertNotEqual(session.session_key, 'someunknownkey')
335 + 316 336 317 337
class DatabaseSessionTests(SessionTestsMixin, TestCase):
318 338 You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4