zope.session

Session data is always created, even when nothing is written

Bug #1286067 reported by Wolfgang Schnerring
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
zope.session
New
Undecided
Unassigned

Bug Description

The basic API is, ask for ISession, get a dict into which you can put stuff. This is however implemented in a manner that *always* creates a new entry (see zope.session.session.Session.__getitem__), which is bad, since one should not perform write operations in an otherwise read-only request, and can also lead to a denial-of-service vulnerability, when session data is stored in the ZODB.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.