From: Hannes Küttner <kuettner.hannes@gmail.com>
Date: Sat, 14 Aug 2021 14:38:50 +0000 (+0200)
Subject: Fix BadSignature exception handling in SessionMiddleware (#1264)
X-Git-Tag: 0.17.0~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e675a0b86db41e0a99bec2d97bad86633523ec1;p=thirdparty%2Fstarlette.git

Fix BadSignature exception handling in SessionMiddleware (#1264)
---

diff --git a/starlette/middleware/sessions.py b/starlette/middleware/sessions.py
index a13ec5c0..ad7a6ee8 100644
--- a/starlette/middleware/sessions.py
+++ b/starlette/middleware/sessions.py
@@ -3,7 +3,7 @@ import typing
 from base64 import b64decode, b64encode
 
 import itsdangerous
-from itsdangerous.exc import BadTimeSignature, SignatureExpired
+from itsdangerous.exc import BadSignature
 
 from starlette.datastructures import MutableHeaders, Secret
 from starlette.requests import HTTPConnection
@@ -42,7 +42,7 @@ class SessionMiddleware:
                 data = self.signer.unsign(data, max_age=self.max_age)
                 scope["session"] = json.loads(b64decode(data))
                 initial_session_was_empty = False
-            except (BadTimeSignature, SignatureExpired):
+            except BadSignature:
                 scope["session"] = {}
         else:
             scope["session"] = {}
diff --git a/tests/middleware/test_session.py b/tests/middleware/test_session.py
index 314f2be5..42f4447e 100644
--- a/tests/middleware/test_session.py
+++ b/tests/middleware/test_session.py
@@ -112,3 +112,16 @@ def test_session_cookie_subpath(test_client_factory):
     cookie = response.headers["set-cookie"]
     cookie_path = re.search(r"; path=(\S+);", cookie).groups()[0]
     assert cookie_path == "/second_app"
+
+
+def test_invalid_session_cookie(test_client_factory):
+    app = create_app()
+    app.add_middleware(SessionMiddleware, secret_key="example")
+    client = test_client_factory(app)
+
+    response = client.post("/update_session", json={"some": "data"})
+    assert response.json() == {"session": {"some": "data"}}
+
+    # we expect it to not raise an exception if we provide a bogus session cookie
+    response = client.get("/view_session", cookies={"session": "invalid"})
+    assert response.json() == {"session": {}}