1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
commit cc0777db672f6edd44a6a3f5b4684bb3a71d11d3
Author: Carl Meyer <carl@oddbird.net>
Date: Wed Jun 10 15:45:20 2015 -0600
[1.4.x] Fixed #19324 -- Avoided creating a session record when loading the session.
The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.
This is a security fix; disclosure to follow shortly.
Index: python-django-1.4.5/django/contrib/sessions/backends/cache.py
===================================================================
--- python-django-1.4.5.orig/django/contrib/sessions/backends/cache.py
+++ python-django-1.4.5/django/contrib/sessions/backends/cache.py
@@ -25,7 +25,7 @@ class SessionStore(SessionBase):
session_data = None
if session_data is not None:
return session_data
- self.create()
+ self._session_key = None
return {}
def create(self):
@@ -45,6 +45,8 @@ class SessionStore(SessionBase):
raise RuntimeError("Unable to create a new session key.")
def save(self, must_create=False):
+ if self.session_key is None:
+ return self.create()
if must_create:
func = self._cache.add
else:
@@ -56,7 +58,7 @@ class SessionStore(SessionBase):
raise CreateError
def exists(self, session_key):
- return (KEY_PREFIX + session_key) in self._cache
+ return session_key and (KEY_PREFIX + session_key) in self._cache
def delete(self, session_key=None):
if session_key is None:
Index: python-django-1.4.5/django/contrib/sessions/backends/cached_db.py
===================================================================
--- python-django-1.4.5.orig/django/contrib/sessions/backends/cached_db.py
+++ python-django-1.4.5/django/contrib/sessions/backends/cached_db.py
@@ -30,11 +30,12 @@ class SessionStore(DBStore):
data = None
if data is None:
data = super(SessionStore, self).load()
- cache.set(self.cache_key, data, settings.SESSION_COOKIE_AGE)
+ if self.session_key:
+ cache.set(self.cache_key, data, settings.SESSION_COOKIE_AGE)
return data
def exists(self, session_key):
- if (KEY_PREFIX + session_key) in cache:
+ if session_key and (KEY_PREFIX + session_key) in cache:
return True
return super(SessionStore, self).exists(session_key)
Index: python-django-1.4.5/django/contrib/sessions/backends/db.py
===================================================================
--- python-django-1.4.5.orig/django/contrib/sessions/backends/db.py
+++ python-django-1.4.5/django/contrib/sessions/backends/db.py
@@ -20,7 +20,7 @@ class SessionStore(SessionBase):
)
return self.decode(force_unicode(s.session_data))
except (Session.DoesNotExist, SuspiciousOperation):
- self.create()
+ self._session_key = None
return {}
def exists(self, session_key):
@@ -37,7 +37,6 @@ class SessionStore(SessionBase):
# Key wasn't unique. Try again.
continue
self.modified = True
- self._session_cache = {}
return
def save(self, must_create=False):
@@ -47,6 +46,8 @@ class SessionStore(SessionBase):
create a *new* entry (as opposed to possibly updating an existing
entry).
"""
+ if self.session_key is None:
+ return self.create()
obj = Session(
session_key=self._get_or_create_session_key(),
session_data=self.encode(self._get_session(no_load=must_create)),
Index: python-django-1.4.5/django/contrib/sessions/backends/file.py
===================================================================
--- python-django-1.4.5.orig/django/contrib/sessions/backends/file.py
+++ python-django-1.4.5/django/contrib/sessions/backends/file.py
@@ -56,11 +56,11 @@ class SessionStore(SessionBase):
try:
session_data = self.decode(file_data)
except (EOFError, SuspiciousOperation):
- self.create()
+ self._session_key = None
finally:
session_file.close()
except IOError:
- self.create()
+ self._session_key = None
return session_data
def create(self):
@@ -71,10 +71,11 @@ class SessionStore(SessionBase):
except CreateError:
continue
self.modified = True
- self._session_cache = {}
return
def save(self, must_create=False):
+ if self.session_key is None:
+ return self.create()
# Get the session data now, before we start messing
# with the file it is stored within.
session_data = self._get_session(no_load=must_create)
Index: python-django-1.4.5/django/contrib/sessions/tests.py
===================================================================
--- python-django-1.4.5.orig/django/contrib/sessions/tests.py
+++ python-django-1.4.5/django/contrib/sessions/tests.py
@@ -162,6 +162,11 @@ class SessionTestsMixin(object):
self.assertNotEqual(self.session.session_key, prev_key)
self.assertEqual(self.session.items(), prev_data)
+ def test_save_doesnt_clear_data(self):
+ self.session['a'] = 'b'
+ self.session.save()
+ self.assertEqual(self.session['a'], 'b')
+
def test_invalid_key(self):
# Submitting an invalid session key (either by guessing, or if the db has
# removed the key) results in a new key being generated.
@@ -256,6 +261,20 @@ class SessionTestsMixin(object):
encoded = self.session.encode(data)
self.assertEqual(self.session.decode(encoded), data)
+ def test_session_load_does_not_create_record(self):
+ """
+ Loading an unknown session key does not create a session record.
+
+ Creating session records on load is a DOS vulnerability.
+ """
+ if self.backend is CookieSession:
+ raise unittest.SkipTest("Cookie backend doesn't have an external store to create records in.")
+ session = self.backend('deadbeef')
+ session.load()
+
+ self.assertFalse(session.exists(session.session_key))
+ # provided unknown key was cycled, not reused
+ self.assertNotEqual(session.session_key, 'deadbeef')
class DatabaseSessionTests(SessionTestsMixin, TestCase):
|
