diff -r 6641e941ef1e -r ff1a9aa48cfd app/django/contrib/sessions/models.py --- a/app/django/contrib/sessions/models.py Tue Oct 14 12:36:55 2008 +0000 +++ b/app/django/contrib/sessions/models.py Tue Oct 14 16:00:59 2008 +0000 @@ -1,16 +1,19 @@ import base64 -import md5 import cPickle as pickle from django.db import models from django.utils.translation import ugettext_lazy as _ from django.conf import settings +from django.utils.hashcompat import md5_constructor + class SessionManager(models.Manager): def encode(self, session_dict): - "Returns the given session dictionary pickled and encoded as a string." + """ + Returns the given session dictionary pickled and encoded as a string. + """ pickled = pickle.dumps(session_dict) - pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest() + pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest() return base64.encodestring(pickled + pickled_md5) def save(self, session_key, session_dict, expire_date): @@ -21,6 +24,7 @@ s.delete() # Clear sessions with no data. return s + class Session(models.Model): """ Django provides full support for anonymous sessions. The session @@ -38,7 +42,8 @@ the sessions documentation that is shipped with Django (also available on the Django website). """ - session_key = models.CharField(_('session key'), max_length=40, primary_key=True) + session_key = models.CharField(_('session key'), max_length=40, + primary_key=True) session_data = models.TextField(_('session data')) expire_date = models.DateTimeField(_('expire date')) objects = SessionManager() @@ -51,7 +56,7 @@ def get_decoded(self): encoded_data = base64.decodestring(self.session_data) pickled, tamper_check = encoded_data[:-32], encoded_data[-32:] - if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check: + if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check: from django.core.exceptions import SuspiciousOperation raise SuspiciousOperation, "User tampered with session cookie." try: