[Python-modules-commits] [python-django] 06/07: Initialize git-dpm
Brian May
bam at moszumanska.debian.org
Sun Oct 11 02:44:56 UTC 2015
This is an automated email from the git hooks/post-receive script.
bam pushed a commit to branch debian/jessie
in repository python-django.
commit f3dcdb6fff6377965d28c3139b07c23634365520
Merge: c46d924 4f049c3
Author: Brian May <brian at microcomaustralia.com.au>
Date: Sun Oct 11 12:06:18 2015 +1100
Initialize git-dpm
debian/.git-dpm | 8 +++
.../patches/02_disable-sources-in-sphinxdoc.diff | 16 ++++--
debian/patches/03_manpage.diff | 15 +++++-
.../06_use_debian_geoip_database_as_default.diff | 21 +++++---
debian/patches/newlines-1.7.x.diff | 35 ++++++++-----
debian/patches/session-1.7.x.diff | 60 +++++++++++++---------
django/contrib/gis/geoip/base.py | 19 +++----
django/contrib/sessions/backends/cache.py | 6 ++-
django/contrib/sessions/backends/cached_db.py | 4 +-
django/contrib/sessions/backends/db.py | 5 +-
django/contrib/sessions/backends/file.py | 5 +-
django/contrib/sessions/tests.py | 20 ++++++++
django/core/validators.py | 27 +++++-----
docs/conf.py | 5 +-
docs/man/django-admin.1 | 6 +--
tests/validators/tests.py | 15 +++++-
16 files changed, 185 insertions(+), 82 deletions(-)
diff --cc debian/.git-dpm
index 0000000,0000000..b96ced3
new file mode 100644
--- /dev/null
+++ b/debian/.git-dpm
@@@ -1,0 -1,0 +1,8 @@@
++# see git-dpm(1) from git-dpm package
++4f049c3e12ad3ed171b5fde82406c77e39481573
++4f049c3e12ad3ed171b5fde82406c77e39481573
++7a41006b464c23d415485ebd4284c1957e5e47e2
++7a41006b464c23d415485ebd4284c1957e5e47e2
++python-django_1.7.7.orig.tar.gz
++614cc9f8e1af6630c54300f6bdd88e7b783614c3
++7603286
diff --cc debian/patches/02_disable-sources-in-sphinxdoc.diff
index 0e00a13,0000000..f230c4a
mode 100644,000000..100644
--- a/debian/patches/02_disable-sources-in-sphinxdoc.diff
+++ b/debian/patches/02_disable-sources-in-sphinxdoc.diff
@@@ -1,23 -1,0 +1,33 @@@
- Description: Disable creation of _sources directory by Sphinx
++From 87853511731cac6d380c3f889861b309db11e7b2 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <hertzog at debian.org>
++Date: Sun, 11 Oct 2015 12:06:13 +1100
++Subject: Disable creation of _sources directory by Sphinx
++
+ We do this to save some space as the sources of the documentation
+ are not really useful in a binary package.
+ .
+ This is a Debian specific patch.
+Forwarded: not-needed
- Author: Raphaël Hertzog <hertzog at debian.org>
+Origin: vendor
+
++Patch-Name: 02_disable-sources-in-sphinxdoc.diff
++---
++ docs/conf.py | 5 ++++-
++ 1 file changed, 4 insertions(+), 1 deletion(-)
++
++diff --git a/docs/conf.py b/docs/conf.py
++index 7707cf3..f179438 100644
+--- a/docs/conf.py
++++ b/docs/conf.py
- @@ -196,7 +196,10 @@ html_additional_pages = {}
++@@ -200,7 +200,10 @@ html_additional_pages = {}
+ #html_split_index = False
+
+ # If true, links to the reST sources are added to the pages.
+-#html_show_sourcelink = True
++html_show_sourcelink = False
++
++# Do not ship a copy of the sources
++html_copy_source = False
+
+ # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+ #html_show_sphinx = True
diff --cc debian/patches/03_manpage.diff
index b44b0a2,0000000..d601f7a
mode 100644,000000..100644
--- a/debian/patches/03_manpage.diff
+++ b/debian/patches/03_manpage.diff
@@@ -1,23 -1,0 +1,34 @@@
- Description: Update manual page to refer to django-admin instead of django-admin.py
++From 0ab6de8181500c92819bbe113c3907e15b5a9b37 Mon Sep 17 00:00:00 2001
++From: Brett Parker <iDunno at sommitrealweird.co.uk>
++Date: Sun, 11 Oct 2015 12:06:14 +1100
++Subject: Update manual page to refer to django-admin instead of
++ django-admin.py
++
+ Update the manual page to speak of django-admin instead of
+ django-admin.py as that's the name used by the Debian package.
+ .
+ This is a Debian specific patch.
+Forwarded: not-needed
- Author: Brett Parker <iDunno at sommitrealweird.co.uk>
+Origin: vendor
+
++Patch-Name: 03_manpage.diff
++---
++ docs/man/django-admin.1 | 6 +++---
++ 1 file changed, 3 insertions(+), 3 deletions(-)
++
++diff --git a/docs/man/django-admin.1 b/docs/man/django-admin.1
++index c9932ac..bdb6438 100644
+--- a/docs/man/django-admin.1
++++ b/docs/man/django-admin.1
+@@ -1,8 +1,8 @@
+-.TH "django-admin.py" "1" "March 2008" "Django Project" ""
++.TH "django-admin" "1" "March 2008" "Django Project" ""
+ .SH "NAME"
+-django\-admin.py \- Utility script for the Django Web framework
++django\-admin \- Utility script for the Django Web framework
+ .SH "SYNOPSIS"
+-.B django\-admin.py
++.B django\-admin
+ .I <action>
+ .B [options]
+ .sp
diff --cc debian/patches/06_use_debian_geoip_database_as_default.diff
index bfe3690,0000000..fefce5b
mode 100644,000000..100644
--- a/debian/patches/06_use_debian_geoip_database_as_default.diff
+++ b/debian/patches/06_use_debian_geoip_database_as_default.diff
@@@ -1,60 -1,0 +1,69 @@@
- Description: Use Debian GeoIP database path as default
++From 27dce852f2b063e62482cd1fadbecfc1a089edcf Mon Sep 17 00:00:00 2001
++From: Tapio Rantala <tapio.rantala at iki.fi>
++Date: Sun, 11 Oct 2015 12:06:15 +1100
++Subject: Use Debian GeoIP database path as default
++
+ Default to Debian standard path for GeoIP directory and for GeoIP city
+ file. Avoids the need to declare them in each project.
+ .
+ This is a Debian specific patch.
+Bug-Debian: http://bugs.debian.org/645094
+Forwarded: not-needed
- Author: Tapio Rantala <tapio.rantala at iki.fi>
+
++Patch-Name: 06_use_debian_geoip_database_as_default.diff
++---
++ django/contrib/gis/geoip/base.py | 19 ++++++++++---------
++ 1 file changed, 10 insertions(+), 9 deletions(-)
++
++diff --git a/django/contrib/gis/geoip/base.py b/django/contrib/gis/geoip/base.py
++index 9295030..0b05f43 100644
+--- a/django/contrib/gis/geoip/base.py
++++ b/django/contrib/gis/geoip/base.py
+@@ -67,7 +67,8 @@ class GeoIP(object):
+ * path: Base directory to where GeoIP data is located or the full path
+ to where the city or country data files (*.dat) are located.
+ Assumes that both the city and country data sets are located in
+- this directory; overrides the GEOIP_PATH settings attribute.
++ this directory. Overrides the GEOIP_PATH settings attribute.
++ If neither is set, defaults to '/usr/share/GeoIP'.
+
+ * cache: The cache settings when opening up the GeoIP datasets,
+ and may be an integer in (0, 1, 2, 4, 8) corresponding to
+@@ -76,11 +77,13 @@ class GeoIP(object):
+ settings, respectively. Defaults to 0, meaning that the data is read
+ from the disk.
+
+- * country: The name of the GeoIP country data file. Defaults to
+- 'GeoIP.dat'; overrides the GEOIP_COUNTRY settings attribute.
- -
- - * city: The name of the GeoIP city data file. Defaults to
- - 'GeoLiteCity.dat'; overrides the GEOIP_CITY settings attribute.
++ * country: The name of the GeoIP country data file. Overrides
++ the GEOIP_COUNTRY settings attribute. If neither is set,
++ defaults to 'GeoIP.dat'
- +
++
++- * city: The name of the GeoIP city data file. Defaults to
++- 'GeoLiteCity.dat'; overrides the GEOIP_CITY settings attribute.
++ * city: The name of the GeoIP city data file. Overrides the
++ GEOIP_CITY settings attribute. If neither is set, defaults
++ to 'GeoIPCity.dat'.
+ """
+ # Checking the given cache option.
+ if cache in self.cache_options:
+@@ -90,9 +93,7 @@ class GeoIP(object):
+
+ # Getting the GeoIP data path.
+ if not path:
+- path = GEOIP_SETTINGS.get('GEOIP_PATH', None)
+- if not path:
+- raise GeoIPException('GeoIP path must be provided via parameter or the GEOIP_PATH setting.')
++ path = GEOIP_SETTINGS.get('GEOIP_PATH', '/usr/share/GeoIP')
+ if not isinstance(path, six.string_types):
+ raise TypeError('Invalid path type: %s' % type(path).__name__)
+
+@@ -105,7 +106,7 @@ class GeoIP(object):
+ self._country = GeoIP_open(force_bytes(country_db), cache)
+ self._country_file = country_db
+
+- city_db = os.path.join(path, city or GEOIP_SETTINGS.get('GEOIP_CITY', 'GeoLiteCity.dat'))
++ city_db = os.path.join(path, city or GEOIP_SETTINGS.get('GEOIP_CITY', 'GeoIPCity.dat'))
+ if os.path.isfile(city_db):
+ self._city = GeoIP_open(force_bytes(city_db), cache)
+ self._city_file = city_db
diff --cc debian/patches/newlines-1.7.x.diff
index 78c320e,0000000..803d379
mode 100644,000000..100644
--- a/debian/patches/newlines-1.7.x.diff
+++ b/debian/patches/newlines-1.7.x.diff
@@@ -1,149 -1,0 +1,158 @@@
++From 734cf4ac8c84d108f0839a24642f50275fe3e8d3 Mon Sep 17 00:00:00 2001
++From: Tim Graham <timograham at gmail.com>
++Date: Fri, 12 Jun 2015 13:49:31 -0400
++Subject: newlines-1.7.x.diff
++
+commit 6e4164b083adb5c974c7ded0f3aeae5188e52b5a
- Author: Tim Graham <timograham at gmail.com>
- Date: Fri Jun 12 13:49:31 2015 -0400
+
+ [1.7.x] Prevented newlines from being accepted in some validators.
-
++
+ This is a security fix; disclosure to follow shortly.
-
++
+ Thanks to Sjoerd Job Postmus for the report and draft patch.
+
- Index: python-django-1.7.7/django/core/validators.py
- ===================================================================
- --- python-django-1.7.7.orig/django/core/validators.py
- +++ python-django-1.7.7/django/core/validators.py
++Patch-Name: newlines-1.7.x.diff
++---
++ django/core/validators.py | 27 +++++++++++++++------------
++ tests/validators/tests.py | 15 ++++++++++++++-
++ 2 files changed, 29 insertions(+), 13 deletions(-)
++
++diff --git a/django/core/validators.py b/django/core/validators.py
++index 1e599ec..462e310 100644
++--- a/django/core/validators.py
+++++ b/django/core/validators.py
+@@ -73,7 +73,7 @@ class URLValidator(RegexValidator):
+ r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4
+ r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6
+ r'(?::\d+)?' # optional port
+- r'(?:/?|[/?]\S+)$', re.IGNORECASE)
++ r'(?:/?|[/?]\S+)\Z', re.IGNORECASE)
+ message = _('Enter a valid URL.')
+ schemes = ['http', 'https', 'ftp', 'ftps']
+
+@@ -107,12 +107,15 @@ class URLValidator(RegexValidator):
+ else:
+ url = value
+
++integer_validator = RegexValidator(
++ re.compile('^-?\d+\Z'),
++ message=_('Enter a valid integer.'),
++ code='invalid',
++)
++
+
+ def validate_integer(value):
+- try:
+- int(value)
+- except (ValueError, TypeError):
+- raise ValidationError(_('Enter a valid integer.'), code='invalid')
++ return integer_validator(value)
+
+
+ @deconstructible
+@@ -120,15 +123,15 @@ class EmailValidator(object):
+ message = _('Enter a valid email address.')
+ code = 'invalid'
+ user_regex = re.compile(
+- r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*$" # dot-atom
+- r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-\011\013\014\016-\177])*"$)', # quoted-string
++ r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*\Z" # dot-atom
++ r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-\011\013\014\016-\177])*"\Z)', # quoted-string
+ re.IGNORECASE)
+ domain_regex = re.compile(
+- r'(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}|[A-Z0-9-]{2,}(?<!-))$',
++ r'(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}|[A-Z0-9-]{2,}(?<!-))\Z',
+ re.IGNORECASE)
+ literal_regex = re.compile(
+ # literal form, ipv4 or ipv6 address (SMTP 4.1.3)
+- r'\[([A-f0-9:\.]+)\]$',
++ r'\[([A-f0-9:\.]+)\]\Z',
+ re.IGNORECASE)
+ domain_whitelist = ['localhost']
+
+@@ -181,10 +184,10 @@ class EmailValidator(object):
+
+ validate_email = EmailValidator()
+
+-slug_re = re.compile(r'^[-a-zA-Z0-9_]+$')
++slug_re = re.compile(r'^[-a-zA-Z0-9_]+\Z')
+ validate_slug = RegexValidator(slug_re, _("Enter a valid 'slug' consisting of letters, numbers, underscores or hyphens."), 'invalid')
+
+-ipv4_re = re.compile(r'^(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}$')
++ipv4_re = re.compile(r'^(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}\Z')
+ validate_ipv4_address = RegexValidator(ipv4_re, _('Enter a valid IPv4 address.'), 'invalid')
+
+
- @@ -225,7 +228,7 @@ def ip_address_validators(protocol, unpa
++@@ -225,7 +228,7 @@ def ip_address_validators(protocol, unpack_ipv4):
+ raise ValueError("The protocol '%s' is unknown. Supported: %s"
+ % (protocol, list(ip_address_validator_map)))
+
+-comma_separated_int_list_re = re.compile('^[\d,]+$')
++comma_separated_int_list_re = re.compile('^[\d,]+\Z')
+ validate_comma_separated_integer_list = RegexValidator(comma_separated_int_list_re, _('Enter only digits separated by commas.'), 'invalid')
+
+
- Index: python-django-1.7.7/tests/validators/tests.py
- ===================================================================
- --- python-django-1.7.7.orig/tests/validators/tests.py
- +++ python-django-1.7.7/tests/validators/tests.py
++diff --git a/tests/validators/tests.py b/tests/validators/tests.py
++index f586270..923e640 100644
++--- a/tests/validators/tests.py
+++++ b/tests/validators/tests.py
+@@ -25,10 +25,12 @@ TEST_DATA = (
+ (validate_integer, '42', None),
+ (validate_integer, '-42', None),
+ (validate_integer, -42, None),
+- (validate_integer, -42.5, None),
+
++ (validate_integer, -42.5, ValidationError),
+ (validate_integer, None, ValidationError),
+ (validate_integer, 'a', ValidationError),
++ (validate_integer, '\n42', ValidationError),
++ (validate_integer, '42\n', ValidationError),
+
+ (validate_email, 'email at here.com', None),
+ (validate_email, 'weirder-email at here.and.there.com', None),
+@@ -66,6 +68,11 @@ TEST_DATA = (
+ (validate_email, '"\\\011"@here.com', None),
+ (validate_email, '"\\\012"@here.com', ValidationError),
+ (validate_email, 'trailingdot at shouldfail.com.', ValidationError),
++ # Trailing newlines in username or domain not allowed
++ (validate_email, 'a at b.com\n', ValidationError),
++ (validate_email, 'a\n at b.com', ValidationError),
++ (validate_email, '"test at test"\n at example.com', ValidationError),
++ (validate_email, 'a@[127.0.0.1]\n', ValidationError),
+
+ (validate_slug, 'slug-ok', None),
+ (validate_slug, 'longer-slug-still-ok', None),
+@@ -78,6 +85,7 @@ TEST_DATA = (
+ (validate_slug, 'some at mail.com', ValidationError),
+ (validate_slug, '你好', ValidationError),
+ (validate_slug, '\n', ValidationError),
++ (validate_slug, 'trailing-newline\n', ValidationError),
+
+ (validate_ipv4_address, '1.1.1.1', None),
+ (validate_ipv4_address, '255.0.0.0', None),
+@@ -87,6 +95,7 @@ TEST_DATA = (
+ (validate_ipv4_address, '25.1.1.', ValidationError),
+ (validate_ipv4_address, '25,1,1,1', ValidationError),
+ (validate_ipv4_address, '25.1 .1.1', ValidationError),
++ (validate_ipv4_address, '1.1.1.1\n', ValidationError),
+
+ # validate_ipv6_address uses django.utils.ipv6, which
+ # is tested in much greater detail in its own testcase
+@@ -120,6 +129,7 @@ TEST_DATA = (
+ (validate_comma_separated_integer_list, '', ValidationError),
+ (validate_comma_separated_integer_list, 'a,b,c', ValidationError),
+ (validate_comma_separated_integer_list, '1, 2, 3', ValidationError),
++ (validate_comma_separated_integer_list, '1,2,3\n', ValidationError),
+
+ (MaxValueValidator(10), 10, None),
+ (MaxValueValidator(10), -10, None),
+@@ -181,6 +191,9 @@ TEST_DATA = (
+ (URLValidator(), 'file://localhost/path', ValidationError),
+ (URLValidator(), 'git://example.com/', ValidationError),
+ (URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError),
++ # Trailing newlines not accepted
++ (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
++ (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
+
+ (BaseValidator(True), True, None),
+ (BaseValidator(True), False, ValidationError),
diff --cc debian/patches/session-1.7.x.diff
index 8b3ddfb,0000000..f75b6e8
mode 100644,000000..100644
--- a/debian/patches/session-1.7.x.diff
+++ b/debian/patches/session-1.7.x.diff
@@@ -1,155 -1,0 +1,167 @@@
++From 4f049c3e12ad3ed171b5fde82406c77e39481573 Mon Sep 17 00:00:00 2001
++From: Carl Meyer <carl at oddbird.net>
++Date: Wed, 10 Jun 2015 15:45:20 -0600
++Subject: session-1.7.x.diff
++
+commit ac4a54705fb9cdde832d07667843b45b208f9aad
- Author: Carl Meyer <carl at oddbird.net>
- Date: Wed Jun 10 15:45:20 2015 -0600
+
+ [1.7.x] Fixed #19324 -- Avoided creating a session record when loading the session.
-
++
+ The session record is now only created if/when the session is modified. This
+ prevents a potential DoS via creation of many empty session records.
-
++
+ This is a security fix; disclosure to follow shortly.
+
- Index: python-django-1.7.7/django/contrib/sessions/backends/cache.py
- ===================================================================
- --- python-django-1.7.7.orig/django/contrib/sessions/backends/cache.py
- +++ python-django-1.7.7/django/contrib/sessions/backends/cache.py
++Patch-Name: session-1.7.x.diff
++---
++ django/contrib/sessions/backends/cache.py | 6 ++++--
++ django/contrib/sessions/backends/cached_db.py | 4 ++--
++ django/contrib/sessions/backends/db.py | 5 +++--
++ django/contrib/sessions/backends/file.py | 5 +++--
++ django/contrib/sessions/tests.py | 20 ++++++++++++++++++++
++ 5 files changed, 32 insertions(+), 8 deletions(-)
++
++diff --git a/django/contrib/sessions/backends/cache.py b/django/contrib/sessions/backends/cache.py
++index b1058b3..faeb106 100644
++--- a/django/contrib/sessions/backends/cache.py
+++++ b/django/contrib/sessions/backends/cache.py
+@@ -27,7 +27,7 @@ class SessionStore(SessionBase):
+ session_data = None
+ if session_data is not None:
+ return session_data
+- self.create()
++ self._session_key = None
+ return {}
+
+ def create(self):
+@@ -49,6 +49,8 @@ class SessionStore(SessionBase):
+ "It is likely that the cache is unavailable.")
+
+ def save(self, must_create=False):
++ if self.session_key is None:
++ return self.create()
+ if must_create:
+ func = self._cache.add
+ else:
+@@ -60,7 +62,7 @@ class SessionStore(SessionBase):
+ raise CreateError
+
+ def exists(self, session_key):
+- return (KEY_PREFIX + session_key) in self._cache
++ return session_key and (KEY_PREFIX + session_key) in self._cache
+
+ def delete(self, session_key=None):
+ if session_key is None:
- Index: python-django-1.7.7/django/contrib/sessions/backends/cached_db.py
- ===================================================================
- --- python-django-1.7.7.orig/django/contrib/sessions/backends/cached_db.py
- +++ python-django-1.7.7/django/contrib/sessions/backends/cached_db.py
++diff --git a/django/contrib/sessions/backends/cached_db.py b/django/contrib/sessions/backends/cached_db.py
++index f5c14b0..5cc6f79 100644
++--- a/django/contrib/sessions/backends/cached_db.py
+++++ b/django/contrib/sessions/backends/cached_db.py
+@@ -51,12 +51,12 @@ class SessionStore(DBStore):
+ logger = logging.getLogger('django.security.%s' %
+ e.__class__.__name__)
+ logger.warning(force_text(e))
+- self.create()
++ self._session_key = None
+ data = {}
+ return data
+
+ def exists(self, session_key):
+- if (KEY_PREFIX + session_key) in self._cache:
++ if session_key and (KEY_PREFIX + session_key) in self._cache:
+ return True
+ return super(SessionStore, self).exists(session_key)
+
- Index: python-django-1.7.7/django/contrib/sessions/backends/db.py
- ===================================================================
- --- python-django-1.7.7.orig/django/contrib/sessions/backends/db.py
- +++ python-django-1.7.7/django/contrib/sessions/backends/db.py
++diff --git a/django/contrib/sessions/backends/db.py b/django/contrib/sessions/backends/db.py
++index a087061..3e6cdf9 100644
++--- a/django/contrib/sessions/backends/db.py
+++++ b/django/contrib/sessions/backends/db.py
+@@ -26,7 +26,7 @@ class SessionStore(SessionBase):
+ logger = logging.getLogger('django.security.%s' %
+ e.__class__.__name__)
+ logger.warning(force_text(e))
+- self.create()
++ self._session_key = None
+ return {}
+
+ def exists(self, session_key):
+@@ -43,7 +43,6 @@ class SessionStore(SessionBase):
+ # Key wasn't unique. Try again.
+ continue
+ self.modified = True
+- self._session_cache = {}
+ return
+
+ def save(self, must_create=False):
+@@ -53,6 +52,8 @@ class SessionStore(SessionBase):
+ create a *new* entry (as opposed to possibly updating an existing
+ entry).
+ """
++ if self.session_key is None:
++ return self.create()
+ obj = Session(
+ session_key=self._get_or_create_session_key(),
+ session_data=self.encode(self._get_session(no_load=must_create)),
- Index: python-django-1.7.7/django/contrib/sessions/backends/file.py
- ===================================================================
- --- python-django-1.7.7.orig/django/contrib/sessions/backends/file.py
- +++ python-django-1.7.7/django/contrib/sessions/backends/file.py
++diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py
++index 6569daf..f886bcd 100644
++--- a/django/contrib/sessions/backends/file.py
+++++ b/django/contrib/sessions/backends/file.py
+@@ -96,7 +96,7 @@ class SessionStore(SessionBase):
+ self.delete()
+ self.create()
+ except (IOError, SuspiciousOperation):
+- self.create()
++ self._session_key = None
+ return session_data
+
+ def create(self):
+@@ -107,10 +107,11 @@ class SessionStore(SessionBase):
+ except CreateError:
+ continue
+ self.modified = True
+- self._session_cache = {}
+ return
+
+ def save(self, must_create=False):
++ if self.session_key is None:
++ return self.create()
+ # Get the session data now, before we start messing
+ # with the file it is stored within.
+ session_data = self._get_session(no_load=must_create)
- Index: python-django-1.7.7/django/contrib/sessions/tests.py
- ===================================================================
- --- python-django-1.7.7.orig/django/contrib/sessions/tests.py
- +++ python-django-1.7.7/django/contrib/sessions/tests.py
++diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py
++index 8d63aaa..6e042c7 100644
++--- a/django/contrib/sessions/tests.py
+++++ b/django/contrib/sessions/tests.py
+@@ -171,6 +171,11 @@ class SessionTestsMixin(object):
+ self.assertNotEqual(self.session.session_key, prev_key)
+ self.assertEqual(list(self.session.items()), prev_data)
+
++ def test_save_doesnt_clear_data(self):
++ self.session['a'] = 'b'
++ self.session.save()
++ self.assertEqual(self.session['a'], 'b')
++
+ def test_invalid_key(self):
+ # Submitting an invalid session key (either by guessing, or if the db has
+ # removed the key) results in a new key being generated.
+@@ -306,6 +311,21 @@ class SessionTestsMixin(object):
+ self.session.delete(old_session_key)
+ self.session.delete(new_session_key)
+
++ def test_session_load_does_not_create_record(self):
++ """
++ Loading an unknown session key does not create a session record.
++
++ Creating session records on load is a DOS vulnerability.
++ """
++ if self.backend is CookieSession:
++ raise unittest.SkipTest("Cookie backend doesn't have an external store to create records in.")
++ session = self.backend('someunknownkey')
++ session.load()
++
++ self.assertFalse(session.exists(session.session_key))
++ # provided unknown key was cycled, not reused
++ self.assertNotEqual(session.session_key, 'someunknownkey')
++
+
+ class DatabaseSessionTests(SessionTestsMixin, TestCase):
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list