Permalink
Browse files

Extend session key char set

Signed-off-by: Rohan Jain <crodjer@gmail.com>
  • Loading branch information...
1 parent 3b018b6 commit f5700b95e50dbf2641f084ca633ab58aa78528e3 @crodjer committed May 18, 2012
Showing with 6 additions and 8 deletions.
  1. +5 −5 django/contrib/sessions/backends/base.py
  2. +1 −3 django/contrib/sessions/backends/file.py
View
10 django/contrib/sessions/backends/base.py
@@ -26,6 +26,10 @@ class SessionBase(object):
TEST_COOKIE_NAME = 'testcookie'
TEST_COOKIE_VALUE = 'worked'
+ # Session_key should not be case sensitive because some backends can store
+ # it on case insensitive file systems.
+ VALID_KEY_CHARS = "abcdefghijklmnopqrstuvwxyz0123456789"
+
def __init__(self, session_key=None):
self._session_key = session_key
self.accessed = False
@@ -127,12 +131,8 @@ def clear(self):
def _get_new_session_key(self):
"Returns session key that isn't being used."
- # Todo: move to 0-9a-z charset in 1.5
- hex_chars = '1234567890abcdef'
- # session_key should not be case sensitive because some backends
- # can store it on case insensitive file systems.
while True:
- session_key = get_random_string(32, hex_chars)
+ session_key = get_random_string(32, self.VALID_KEY_CHARS)
if not self.exists(session_key):
break
return session_key
View
4 django/contrib/sessions/backends/file.py
@@ -26,8 +26,6 @@ def __init__(self, session_key=None):
self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
- VALID_KEY_CHARS = set("abcdef0123456789")
-
def _key_to_file(self, session_key=None):
"""
Get the file associated with this session key.
@@ -38,7 +36,7 @@ def _key_to_file(self, session_key=None):
# Make sure we're not vulnerable to directory traversal. Session keys
# should always be md5s, so they should never contain directory
# components.
- if not set(session_key).issubset(self.VALID_KEY_CHARS):
+ if not set(session_key).issubset(set(self.VALID_KEY_CHARS)):
raise SuspiciousOperation(
"Invalid characters in session key")

0 comments on commit f5700b9

Please sign in to comment.