--- a/app/django/contrib/sessions/models.py Tue Oct 14 12:36:55 2008 +0000
+++ b/app/django/contrib/sessions/models.py Tue Oct 14 16:00:59 2008 +0000
@@ -1,16 +1,19 @@
import base64
-import md5
import cPickle as pickle
from django.db import models
from django.utils.translation import ugettext_lazy as _
from django.conf import settings
+from django.utils.hashcompat import md5_constructor
+
class SessionManager(models.Manager):
def encode(self, session_dict):
- "Returns the given session dictionary pickled and encoded as a string."
+ """
+ Returns the given session dictionary pickled and encoded as a string.
+ """
pickled = pickle.dumps(session_dict)
- pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
+ pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
return base64.encodestring(pickled + pickled_md5)
def save(self, session_key, session_dict, expire_date):
@@ -21,6 +24,7 @@
s.delete() # Clear sessions with no data.
return s
+
class Session(models.Model):
"""
Django provides full support for anonymous sessions. The session
@@ -38,7 +42,8 @@
the sessions documentation that is shipped with Django (also available
on the Django website).
"""
- session_key = models.CharField(_('session key'), max_length=40, primary_key=True)
+ session_key = models.CharField(_('session key'), max_length=40,
+ primary_key=True)
session_data = models.TextField(_('session data'))
expire_date = models.DateTimeField(_('expire date'))
objects = SessionManager()
@@ -51,7 +56,7 @@
def get_decoded(self):
encoded_data = base64.decodestring(self.session_data)
pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
- if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
+ if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
from django.core.exceptions import SuspiciousOperation
raise SuspiciousOperation, "User tampered with session cookie."
try: