3.0.x fix for #744 (Malicious cookies may allow access to files outsi…

…de the session directory). --HG-- branch : cherrypy-3.0.x
cherrypy · Oct 27, 2007 · 37b856e · 37b856e
1 parent 8a68eea
commit 37b856e
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/cherrypy/lib/sessions.py b/cherrypy/lib/sessions.py
@@ -260,7 +260,10 @@ def setup(self):
                     os.path.abspath(self.storage_path)))
 
     def _get_file_path(self):
-        return os.path.join(self.storage_path, self.SESSION_PREFIX + self.id)
+        f = os.path.join(self.storage_path, self.SESSION_PREFIX + self.id)
+        if not os.path.normpath(f).startswith(self.storage_path):
+            raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
+        return f
 
     def _load(self, path=None):
         if path is None: