[Django] #31895: process crash after upgrade to 3.1: Incorrect padding
Django
-------------------------------------+-------------------------------------
Reporter: Matt | Owner: nobody
Hegarty |
Type: | Status: new
Uncategorized |
Component: | Version: 3.1
Uncategorized | Keywords: incorrect padding,
Severity: Normal | badsignature
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi
I recently upgraded my staging server to 3.1. I think that there was an
old session which was still active.
On browsing to any URL, I get the crash below. It looks similar to
[(https://groups.google.com/g/django-users/c/PExKciSIqeU/m/getWx-hRBQAJ)
this issue].
I cannot login at all with Chrome - each attempt to access the site
results in a crash. Login with Firefox works fine.
This is only happening on my Staging site, which is running Gunicorn
behind nginx proxy.
{{{
Internal Server Error: /overview/
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-
packages/django/contrib/sessions/backends/base.py", line 215, in
_get_session
return self._session_cache
AttributeError: 'SessionStore' object has no attribute '_session_cache'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-
packages/django/contrib/sessions/backends/base.py", line 118, in decode
return signing.loads(session_data, salt=self.key_salt,
serializer=self.serializer)
File "/usr/local/lib/python3.8/site-packages/django/core/signing.py", line
135, in loads
base64d = TimestampSigner(key, salt=salt).unsign(s,
max_age=max_age).encode()
File "/usr/local/lib/python3.8/site-packages/django/core/signing.py", line
201, in unsign
result = super().unsign(value)
File "/usr/local/lib/python3.8/site-packages/django/core/signing.py", line
184, in unsign
raise BadSignature('Signature "%s" does not match' % sig)
django.core.signing.BadSignature: Signature
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" does not match
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-
packages/django/core/handlers/exception.py", line 47, in inner
response = get_response(request)
File "/usr/local/lib/python3.8/site-
packages/django/core/handlers/base.py", line 179, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/local/lib/python3.8/site-
packages/django/views/generic/base.py", line 73, in view
return self.dispatch(request, *args, **kwargs)
File "/usr/local/lib/python3.8/site-
packages/django/contrib/auth/mixins.py", line 50, in dispatch
if not request.user.is_authenticated:
File "/usr/local/lib/python3.8/site-packages/django/utils/functional.py",
line 240, in inner
self._setup()
File "/usr/local/lib/python3.8/site-packages/django/utils/functional.py",
line 376, in _setup
self._wrapped = self._setupfunc()
File "/usr/local/lib/python3.8/site-packages/django_otp/middleware.py",
line 38, in _verify_user
user.otp_device = None
File "/usr/local/lib/python3.8/site-packages/django/utils/functional.py",
line 270, in __setattr__
self._setup()
File "/usr/local/lib/python3.8/site-packages/django/utils/functional.py",
line 376, in _setup
self._wrapped = self._setupfunc()
File "/usr/local/lib/python3.8/site-
packages/django/contrib/auth/middleware.py", line 23, in <lambda>
request.user = SimpleLazyObject(lambda: get_user(request))
File "/usr/local/lib/python3.8/site-
packages/django/contrib/auth/middleware.py", line 11, in get_user
request._cached_user = auth.get_user(request)
File "/usr/local/lib/python3.8/site-
packages/django/contrib/auth/__init__.py", line 174, in get_user
user_id = _get_user_session_key(request)
File "/usr/local/lib/python3.8/site-
packages/django/contrib/auth/__init__.py", line 58, in
_get_user_session_key
return get_user_model()._meta.pk.to_python(request.session[SESSION_KEY])
File "/usr/local/lib/python3.8/site-
packages/django/contrib/sessions/backends/base.py", line 65, in
__getitem__
return self._session[key]
File "/usr/local/lib/python3.8/site-
packages/django/contrib/sessions/backends/base.py", line 220, in
_get_session
self._session_cache = self.load()
File "/usr/local/lib/python3.8/site-
packages/django/contrib/sessions/backends/db.py", line 44, in load
return self.decode(s.session_data) if s else {}
File "/usr/local/lib/python3.8/site-
packages/django/contrib/sessions/backends/base.py", line 122, in decode
return self._legacy_decode(session_data)
File "/usr/local/lib/python3.8/site-
packages/django/contrib/sessions/backends/base.py", line 126, in
_legacy_decode
encoded_data = base64.b64decode(session_data.encode('ascii'))
File "/usr/local/lib/python3.8/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31895>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Severity: Normal | Resolution:
Keywords: incorrect padding, | Triage Stage:
badsignature | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
New description:
Hi
I recently upgraded my staging server to 3.1. I think that there was an
old session which was still active.
On browsing to any URL, I get the crash below. It looks similar to
[[https://groups.google.com/g/django-users/c/PExKciSIqeU/m/getWx-
hRBQAJ|this issue]].
--
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:1>
Django
-------------------------------------+-------------------------------------
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Severity: Normal | Resolution:
Keywords: incorrect padding, | Triage Stage:
badsignature | Unreviewed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Matt Hegarty):
I tried to run clearsessions, but that didn't help. The only workaround
was to delete all rows in the django_session table.
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: nobody
Component: Core (Other) | Version: 3.1
Severity: Normal | Resolution: needsinfo
Keywords: incorrect padding, | Triage Stage:
badsignature | Unreviewed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => needsinfo
* component: Uncategorized => Core (Other)
Comment:
Thanks for this report, however I cannot reproduce this issue. Can you
provide a sample project?
Support for user sessions created by older versions of Django remains
until Django 4.0. See similar tickets #31864, #31592, and #31274, this can
be a duplicate of one of them.
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: nobody
Type: Uncategorized | Status: closed
Component: Core (Other) | Version: 3.1
Severity: Normal | Resolution: needsinfo
Keywords: incorrect padding, | Triage Stage:
badsignature | Unreviewed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Matt Hegarty):
Thanks for the response. It does look similar to the other issues you
posted. I don't have a reproducible instance at present. The only way I
can think to reproduce would be to start up a 3.0 site, login, wait for
the session to expire, then upgrade to 3.1. These are the steps that
would have happened on the environment where I encountered the issue.
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:4>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: nobody
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution: needsinfo
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* type: Uncategorized => Bug
* component: Core (Other) => contrib.sessions
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
Comment:
Thanks I was able to reproduce this issue with an invalid session data.
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: nobody
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution:
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: closed => new
* resolution: needsinfo =>
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:6>
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: assigned
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution:
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: nobody => felixxm
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:7>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: felixxm
Type: Bug | Status: assigned
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution:
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Claude Paroz (added)
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/13321 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:8>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: felixxm
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"4376c2c7f8cd9c7604a7d053b3c4022dd5ac2795" 4376c2c7]:
{{{
#!CommitTicketReference repository=""
revision="4376c2c7f8cd9c7604a7d053b3c4022dd5ac2795"
Fixed #31895 -- Fixed crash when decoding invalid session data.
Thanks Matt Hegarty for the report.
Regression in d4fff711d4c97356bd6ba1273d2a5e349326eb5f.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: felixxm
Type: Bug | Status: closed
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"7eaa2776e1f176863c00b961bc76b28a3b5293c7" 7eaa277]:
{{{
#!CommitTicketReference repository=""
revision="7eaa2776e1f176863c00b961bc76b28a3b5293c7"
[3.1.x] Fixed #31895 -- Fixed crash when decoding invalid session data.
Thanks Matt Hegarty for the report.
Regression in d4fff711d4c97356bd6ba1273d2a5e349326eb5f.
Backport of 4376c2c7f8cd9c7604a7d053b3c4022dd5ac2795 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: felixxm
Type: Bug | Status: closed
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Torsten Bronger):
Django 3.0.9 is also affected, and according to the release notes, 3.0.10
probably too.
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: felixxm
Type: Bug | Status: closed
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by felixxm):
Replying to [comment:11 Torsten Bronger]:
> Django 3.0.9 is also affected, and according to the release notes,
3.0.10 probably too.
This is a fix for a regression in Django 3.1, so Django 3.0 cannot be
affected.
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:12>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: felixxm
Type: Bug | Status: closed
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* Attachment "31895" added.
Traceback with 3.0.8
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: felixxm
Type: Bug | Status: closed
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Torsten Bronger):
I attached the traceback we see with 3.0.8. It is not the same but very
similar, and the point in time since we observe this also matches with
this bug. Furthermore, the master branch solves this problem for us.
Do you still think it is a different problem? If so, I file a new report.
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:13>
Django
-------------------------------------+-------------------------------------
Reporter: Matt Hegarty | Owner: felixxm
Type: Bug | Status: closed
Component: contrib.sessions | Version: 3.1
Severity: Release blocker | Resolution: fixed
Keywords: incorrect padding, | Triage Stage: Accepted
badsignature |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by felixxm):
This can be a duplicate of #31592 (downgrade is not supported).
Moreover, Django 3.0 is in extended support so it doesn't receive bugfixes
anymore (except security fixes). Therefore even if you hit a different
(but similar) issue in Django 3.0 (without any sessions created in Django
3.1+) it will not qualify for a backport based on our
[https://docs.djangoproject.com/en/dev/internals/release-process
/#supported-versions supported versions policy].
--
Ticket URL: <https://code.djangoproject.com/ticket/31895#comment:14>