5 comments

[ 3.4 ms ] story [ 19.7 ms ] thread
This is an unusually dangerous security bug. Definitely agree with the Django team that all users of Django 1.8 should upgrade as soon as possible.
Adding to my list of security vulnerabilities that static typing would have prevented.
Isn't an empty string still a string?
Right, the issue here is just using null or "". You could use an Optional or Maybe type here. Even better you could define:

    data SessionKey = ValidSessionKey | InvalidSessionKey
Then the developer making the modification code would have been much less likely to type "InvalidSessionKey" whereas the None/"" behavior is just an idiom. The problem here is that the domain knowledge of: "" is a valid session

wasn't communicated by the code.

still stuck on Django 1.6.x; also stuck with Python 2.7.x; fear is the order of the day when it comes to upgrades.