mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Fixed #27363 -- Replaced unsafe redirect in SessionMiddleware with SuspiciousOperation.
This commit is contained in:
parent
9c2e1ad6a5
commit
1ce04bcce0
@ -3,7 +3,7 @@ from importlib import import_module
|
||||
|
||||
from django.conf import settings
|
||||
from django.contrib.sessions.backends.base import UpdateError
|
||||
from django.shortcuts import redirect
|
||||
from django.core.exceptions import SuspiciousOperation
|
||||
from django.utils.cache import patch_vary_headers
|
||||
from django.utils.deprecation import MiddlewareMixin
|
||||
from django.utils.http import cookie_date
|
||||
@ -57,10 +57,11 @@ class SessionMiddleware(MiddlewareMixin):
|
||||
try:
|
||||
request.session.save()
|
||||
except UpdateError:
|
||||
# The user is now logged out; redirecting to same
|
||||
# page will result in a redirect to the login page
|
||||
# if required.
|
||||
return redirect(request.path)
|
||||
raise SuspiciousOperation(
|
||||
"The request's session was deleted before the "
|
||||
"request completed. The user may have logged "
|
||||
"out in a concurrent request, for example."
|
||||
)
|
||||
response.set_cookie(
|
||||
settings.SESSION_COOKIE_NAME,
|
||||
request.session.session_key, max_age=max_age,
|
||||
|
@ -26,3 +26,7 @@ Bugfixes
|
||||
|
||||
* Prevented ``i18n_patterns()`` from using too much of the URL as the language
|
||||
to fix a use case for ``prefix_default_language=False`` (:ticket:`27063`).
|
||||
|
||||
* Replaced a possibly incorrect redirect from ``SessionMiddleware`` when a
|
||||
session is destroyed in a concurrent request with a ``SuspiciousOperation``
|
||||
to indicate that the request can't be completed (:ticket:`27363`).
|
||||
|
@ -25,7 +25,7 @@ from django.contrib.sessions.serializers import (
|
||||
from django.core import management
|
||||
from django.core.cache import caches
|
||||
from django.core.cache.backends.base import InvalidCacheBackendError
|
||||
from django.core.exceptions import ImproperlyConfigured
|
||||
from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
|
||||
from django.http import HttpResponse
|
||||
from django.test import (
|
||||
RequestFactory, TestCase, ignore_warnings, override_settings,
|
||||
@ -708,14 +708,15 @@ class SessionMiddlewareTests(TestCase):
|
||||
request.session.save(must_create=True)
|
||||
request.session.delete()
|
||||
|
||||
# Handle the response through the middleware. It will try to save the
|
||||
# deleted session which will cause an UpdateError that's caught and
|
||||
# results in a redirect to the original page.
|
||||
response = middleware.process_response(request, response)
|
||||
|
||||
# Check that the response is a redirect.
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertEqual(response['Location'], path)
|
||||
msg = (
|
||||
"The request's session was deleted before the request completed. "
|
||||
"The user may have logged out in a concurrent request, for example."
|
||||
)
|
||||
with self.assertRaisesMessage(SuspiciousOperation, msg):
|
||||
# Handle the response through the middleware. It will try to save
|
||||
# the deleted session which will cause an UpdateError that's caught
|
||||
# and raised as a SuspiciousOperation.
|
||||
middleware.process_response(request, response)
|
||||
|
||||
def test_session_delete_on_end(self):
|
||||
request = RequestFactory().get('/')
|
||||
|
Loading…
Reference in New Issue
Block a user