[Python-modules-commits] [python-django] 02/03: Fix the backported patches

Raphaël Hertzog hertzog at moszumanska.debian.org
Wed Aug 26 16:22:54 UTC 2015 

This is an automated email from the git hooks/post-receive script.

hertzog pushed a commit to branch debian/squeeze
in repository python-django.

commit e202fdb78226fb8b60e97e36993f784b68797fd2
Author: Raphaël Hertzog <hertzog at debian.org>
Date:   Wed Aug 26 11:54:03 2015 +0200

    Fix the backported patches
    
    Session.session_key generates a new key on the fly, we need to check
    the _session_key attribute. Fix this also in a place that was modified
    by a former patch.
    
    RequestFactory doesn't exist in Django 1.2, build a raw HttpRequest
    instead.
---
 debian/patches/CVE-2015-5963_5964.patch | 55 +++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 17 deletions(-)

diff --git a/debian/patches/CVE-2015-5963_5964.patch b/debian/patches/CVE-2015-5963_5964.patch
index 4746ab8..9a3771a 100644
--- a/debian/patches/CVE-2015-5963_5964.patch
+++ b/debian/patches/CVE-2015-5963_5964.patch
@@ -106,7 +106,7 @@ This is a security fix.
 +            else:
 +                if accessed:
 +                    patch_vary_headers(response, ('Cookie',))
-+                if modified or settings.SESSION_SAVE_EVERY_REQUEST:
++                if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
 +                    if request.session.get_expire_at_browser_close():
 +                        max_age = None
 +                        expires = None
@@ -124,42 +124,41 @@ This is a security fix.
          return response
 --- a/django/contrib/sessions/tests.py
 +++ b/django/contrib/sessions/tests.py
-@@ -7,6 +7,9 @@ r"""
+@@ -7,6 +7,8 @@ r"""
  >>> from django.contrib.sessions.backends.file import SessionStore as FileSession
  >>> from django.contrib.sessions.backends.base import SessionBase
  >>> from django.contrib.sessions.models import Session
 +>>> from django.contrib.sessions.middleware import SessionMiddleware
-+>>> from django.http import HttpResponse
-+>>> from django.test import RequestFactory
++>>> from django.http import HttpResponse, HttpRequest
  
  >>> db_session = DatabaseSession()
  >>> db_session.modified
-@@ -36,6 +39,8 @@ True
+@@ -34,6 +36,8 @@ True
+ >>> db_session.flush()
+ >>> db_session.exists(prev_key)
  False
++>>> db_session._session_key is None
++True
  >>> db_session.session_key == prev_key
  False
-+>>> db_session.session_key
-+None
  >>> db_session.modified, db_session.accessed
- (True, True)
- >>> db_session['a'], db_session['b'] = 'c', 'd'
-@@ -139,6 +144,8 @@ True
+@@ -137,6 +141,8 @@ True
+ >>> file_session.flush()
+ >>> file_session.exists(prev_key)
  False
++>>> file_session._session_key is None
++True
  >>> file_session.session_key == prev_key
  False
-+>>> file_session.session_key
-+None
  >>> file_session.modified, file_session.accessed
- (True, True)
- >>> file_session['a'], file_session['b'] = 'c', 'd'
-@@ -442,6 +449,38 @@ True
+@@ -442,6 +448,38 @@ True
  True
  
  >>> settings.SESSION_EXPIRE_AT_BROWSER_CLOSE = original_expire_at_browser_close
 +
 +# Middleware tests
 +# Backport of SessionMiddlewareTests.test_session_delete_on_end():
-+>>> request = RequestFactory().get('/')
++>>> request = HttpRequest()
 +>>> response = HttpResponse('Session test')
 +>>> middleware = SessionMiddleware()
 +>>> # Before deleting, there has to be an existing cookie
@@ -177,7 +176,7 @@ This is a security fix.
 +
 +# Backport of
 +# SessionMiddlewareTests.test_flush_empty_without_session_cookie_doesnt_set_cookie()
-+>>> request = RequestFactory().get('/')
++>>> request = HttpRequest()
 +>>> response = HttpResponse('Session test')
 +>>> middleware = SessionMiddleware()
 +>>> # Simulate a request that ends the session
@@ -191,3 +190,25 @@ This is a security fix.
  """
  
  if __name__ == '__main__':
+--- a/django/contrib/sessions/backends/db.py
++++ b/django/contrib/sessions/backends/db.py
+@@ -51,7 +51,7 @@ class SessionStore(SessionBase):
+         create a *new* entry (as opposed to possibly updating an existing
+         entry).
+         """
+-        if self.session_key is None:
++        if self._session_key is None:
+             return self.create()
+         obj = Session(
+             session_key = self.session_key,
+--- a/django/contrib/sessions/backends/file.py
++++ b/django/contrib/sessions/backends/file.py
+@@ -74,7 +74,7 @@ class SessionStore(SessionBase):
+             return
+ 
+     def save(self, must_create=False):
+-        if self.session_key is None:
++        if self._session_key is None:
+             return self.create()
+         # Get the session data now, before we start messing
+         # with the file it is stored within.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git

More information about the Python-modules-commits mailing list