Fix BadSignature exception handling in SessionMiddleware (#1264)

author Hannes Küttner <kuettner.hannes@gmail.com>

Sat, 14 Aug 2021 14:38:50 +0000 (16:38 +0200)

committer GitHub <noreply@github.com>

Sat, 14 Aug 2021 14:38:50 +0000 (15:38 +0100)
author Hannes Küttner <kuettner.hannes@gmail.com>
Sat, 14 Aug 2021 14:38:50 +0000 (16:38 +0200)
committer GitHub <noreply@github.com>
Sat, 14 Aug 2021 14:38:50 +0000 (15:38 +0100)
diff --git a/starlette/middleware/sessions.py b/starlette/middleware/sessions.py

index a13ec5c0ed3018a57930a32dd6bb7125f3c8ac98..ad7a6ee8995826b827f2fe00cd1dc664d961fafa 100644 (file)
--- a/starlette/middleware/sessions.py
+++ b/starlette/middleware/sessions.py
@@ -3,7 +3,7 @@ import typing
  from base64 import b64decode, b64encode
  
  import itsdangerous
-from itsdangerous.exc import BadTimeSignature, SignatureExpired
+from itsdangerous.exc import BadSignature
  
  from starlette.datastructures import MutableHeaders, Secret
  from starlette.requests import HTTPConnection
@@ -42,7 +42,7 @@ class SessionMiddleware:
                  data = self.signer.unsign(data, max_age=self.max_age)
                  scope["session"] = json.loads(b64decode(data))
                  initial_session_was_empty = False
-            except (BadTimeSignature, SignatureExpired):
+            except BadSignature:
                  scope["session"] = {}
          else:
              scope["session"] = {}
diff --git a/tests/middleware/test_session.py b/tests/middleware/test_session.py

index 314f2be5837c7e1e32d8a0cd43d0b1293341863a..42f4447e5c260403c9ea3e985d3afce868e92827 100644 (file)
--- a/tests/middleware/test_session.py
+++ b/tests/middleware/test_session.py
@@ -112,3 +112,16 @@ def test_session_cookie_subpath(test_client_factory):
      cookie = response.headers["set-cookie"]
      cookie_path = re.search(r"; path=(\S+);", cookie).groups()[0]
      assert cookie_path == "/second_app"
+
+
+def test_invalid_session_cookie(test_client_factory):
+    app = create_app()
+    app.add_middleware(SessionMiddleware, secret_key="example")
+    client = test_client_factory(app)
+
+    response = client.post("/update_session", json={"some": "data"})
+    assert response.json() == {"session": {"some": "data"}}
+
+    # we expect it to not raise an exception if we provide a bogus session cookie
+    response = client.get("/view_session", cookies={"session": "invalid"})
+    assert response.json() == {"session": {}}
author	Hannes Küttner <kuettner.hannes@gmail.com>
	Sat, 14 Aug 2021 14:38:50 +0000 (16:38 +0200)
committer	GitHub <noreply@github.com>
	Sat, 14 Aug 2021 14:38:50 +0000 (15:38 +0100)
starlette/middleware/sessions.py		patch \| blob \| blame \| history
tests/middleware/test_session.py		patch \| blob \| blame \| history