From 7a9993559799d7529101720cc8435db6a78e31d2 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Sun, 3 Nov 2013 09:52:11 +0100 Subject: [PATCH] use json serializer for sessions, change timestamps' data type, more security docs json serializer can't serialize datetime (but integers), but is more safe than the pickle serializer. --- docs/security.rst | 14 ++++++++++++++ nsupdate/api/views.py | 4 ++-- nsupdate/context_processors.py | 7 +++---- nsupdate/settings.py | 1 + setup.py | 2 +- 5 files changed, 21 insertions(+), 7 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index fd83561..46a5b22 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -119,3 +119,17 @@ users' sites (like attacker.yourservice.net). Obviously, this might lead to security issues with stealing, modifying and faking domain cookies. + +Sessions +======== + +We use Django's more safe JSONSerializer to serialize session data. +For Django >=1.5.3, the serializer is configurable. +For Django >=1.6 json will be the default rather than the less safe pickle format. + + +Django's SECRET_KEY +=================== + +Well, it needs to be secret, so don't just keep the value from our settings.py, +but define a really secret one in your local_settings.py. diff --git a/nsupdate/api/views.py b/nsupdate/api/views.py index 94d6037..87b2617 100644 --- a/nsupdate/api/views.py +++ b/nsupdate/api/views.py @@ -3,6 +3,7 @@ import logging logger = logging.getLogger(__name__) +import time import json from django.http import HttpResponse @@ -10,7 +11,6 @@ from django.conf import settings from django.contrib.auth.hashers import check_password from django.contrib.auth.decorators import login_required from django.contrib.sessions.backends.db import SessionStore -from django.utils.timezone import now from ..main.models import Host from ..main.dnstools import update, SameIpError, check_ip @@ -52,7 +52,7 @@ def DetectIpView(request, secret=None): ipaddr = request.META['REMOTE_ADDR'] key = check_ip(ipaddr) s[key] = ipaddr - s[key + '_timestamp'] = now() + s[key + '_timestamp'] = int(time.time()) logger.debug("detected %s: %s" % (key, ipaddr)) s.save() return HttpResponse(status=204) diff --git a/nsupdate/context_processors.py b/nsupdate/context_processors.py index 1ea828f..155e58e 100644 --- a/nsupdate/context_processors.py +++ b/nsupdate/context_processors.py @@ -3,10 +3,9 @@ import logging logger = logging.getLogger(__name__) -from datetime import timedelta +import time from django.conf import settings -from django.utils.timezone import now MAX_IP_AGE = 180 # seconds @@ -27,7 +26,7 @@ def remove_stale_ips(request): """ # XXX is a context processor is the right place for this? s = request.session - t_now = now() + t_now = int(time.time()) for key in ['ipv4', 'ipv6', ]: timestamp_key = "%s_timestamp" % key try: @@ -38,7 +37,7 @@ def remove_stale_ips(request): s[timestamp_key] = t_now else: try: - stale = timestamp + timedelta(seconds=MAX_IP_AGE) < t_now + stale = timestamp + MAX_IP_AGE < t_now except (ValueError, TypeError): # invalid timestamp in session del s[timestamp_key] diff --git a/nsupdate/settings.py b/nsupdate/settings.py index 640c90d..4e86039 100644 --- a/nsupdate/settings.py +++ b/nsupdate/settings.py @@ -235,6 +235,7 @@ SESSION_COOKIE_HTTPONLY = True SESSION_COOKIE_AGE = 14 * 24 * 3600 # 2 weeks, in seconds SESSION_EXPIRE_AT_BROWSER_CLOSE = False +SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer' # python-social-auth settings diff --git a/setup.py b/setup.py index 70fb1f6..ad5d58e 100644 --- a/setup.py +++ b/setup.py @@ -38,7 +38,7 @@ setup( zip_safe=False, platforms='any', install_requires=[ - 'django<1.6', + 'django >1.5.3, <1.6', # 1.5.3 has the session serializer configurable 'dnspython', 'south', 'django-bootstrap-form',