use json serializer for sessions, change timestamps' data type, more security docs

json serializer can't serialize datetime (but integers), but is more safe than the pickle serializer.
2013-11-03 09:52:11 +01:00 · 2013-11-03 09:52:11 +01:00 · 7a99935597
commit 7a99935597
parent 5cd14a9cd3
5 changed files with 21 additions and 7 deletions
--- a/docs/security.rst
+++ b/docs/security.rst
@ -119,3 +119,17 @@ users' sites (like attacker.yourservice.net).
 Obviously, this might lead to security issues with stealing, modifying and
 faking domain cookies.

+
+Sessions
+========
+
+We use Django's more safe JSONSerializer to serialize session data.
+For Django >=1.5.3, the serializer is configurable.
+For Django >=1.6 json will be the default rather than the less safe pickle format.
+
+
+Django's SECRET_KEY
+===================
+
+Well, it needs to be secret, so don't just keep the value from our settings.py,
+but define a really secret one in your local_settings.py.
--- a/nsupdate/api/views.py
+++ b/nsupdate/api/views.py
@ -3,6 +3,7 @@
 import logging
 logger = logging.getLogger(__name__)

+import time
 import json

 from django.http import HttpResponse
@ -10,7 +11,6 @@ from django.conf import settings
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.decorators import login_required
 from django.contrib.sessions.backends.db import SessionStore
-from django.utils.timezone import now

 from ..main.models import Host
 from ..main.dnstools import update, SameIpError, check_ip
@ -52,7 +52,7 @@ def DetectIpView(request, secret=None):
    ipaddr = request.META['REMOTE_ADDR']
    key = check_ip(ipaddr)
    s[key] = ipaddr
-    s[key + '_timestamp'] = now()
+    s[key + '_timestamp'] = int(time.time())
    logger.debug("detected %s: %s" % (key, ipaddr))
    s.save()
    return HttpResponse(status=204)
--- a/nsupdate/context_processors.py
+++ b/nsupdate/context_processors.py
@ -3,10 +3,9 @@
 import logging
 logger = logging.getLogger(__name__)

-from datetime import timedelta
+import time

 from django.conf import settings
-from django.utils.timezone import now

 MAX_IP_AGE = 180  # seconds

@ -27,7 +26,7 @@ def remove_stale_ips(request):
    """
    # XXX is a context processor is the right place for this?
    s = request.session
-    t_now = now()
+    t_now = int(time.time())
    for key in ['ipv4', 'ipv6', ]:
        timestamp_key = "%s_timestamp" % key
        try:
@ -38,7 +37,7 @@ def remove_stale_ips(request):
            s[timestamp_key] = t_now
        else:
            try:
-                stale = timestamp + timedelta(seconds=MAX_IP_AGE) < t_now
+                stale = timestamp + MAX_IP_AGE < t_now
            except (ValueError, TypeError):
                # invalid timestamp in session
                del s[timestamp_key]
--- a/nsupdate/settings.py
+++ b/nsupdate/settings.py
@ -235,6 +235,7 @@ SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_AGE = 14 * 24 * 3600  # 2 weeks, in seconds
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False

+SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer'

 # python-social-auth settings

--- a/setup.py
+++ b/setup.py
@ -38,7 +38,7 @@ setup(
    zip_safe=False,
    platforms='any',
    install_requires=[
-        'django<1.6',
+        'django >1.5.3, <1.6', # 1.5.3 has the session serializer configurable
        'dnspython',
        'south',
        'django-bootstrap-form',