Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Extend session key char set

Signed-off-by: Rohan Jain <crodjer@gmail.com>
  • Loading branch information...
commit f5700b95e50dbf2641f084ca633ab58aa78528e3 1 parent 3b018b6
Rohan Jain authored
10 django/contrib/sessions/backends/base.py
@@ -26,6 +26,10 @@ class SessionBase(object):
26 26 TEST_COOKIE_NAME = 'testcookie'
27 27 TEST_COOKIE_VALUE = 'worked'
28 28
  29 + # Session_key should not be case sensitive because some backends can store
  30 + # it on case insensitive file systems.
  31 + VALID_KEY_CHARS = "abcdefghijklmnopqrstuvwxyz0123456789"
  32 +
29 33 def __init__(self, session_key=None):
30 34 self._session_key = session_key
31 35 self.accessed = False
@@ -127,12 +131,8 @@ def clear(self):
127 131
128 132 def _get_new_session_key(self):
129 133 "Returns session key that isn't being used."
130   - # Todo: move to 0-9a-z charset in 1.5
131   - hex_chars = '1234567890abcdef'
132   - # session_key should not be case sensitive because some backends
133   - # can store it on case insensitive file systems.
134 134 while True:
135   - session_key = get_random_string(32, hex_chars)
  135 + session_key = get_random_string(32, self.VALID_KEY_CHARS)
136 136 if not self.exists(session_key):
137 137 break
138 138 return session_key
4 django/contrib/sessions/backends/file.py
@@ -26,8 +26,6 @@ def __init__(self, session_key=None):
26 26 self.file_prefix = settings.SESSION_COOKIE_NAME
27 27 super(SessionStore, self).__init__(session_key)
28 28
29   - VALID_KEY_CHARS = set("abcdef0123456789")
30   -
31 29 def _key_to_file(self, session_key=None):
32 30 """
33 31 Get the file associated with this session key.
@@ -38,7 +36,7 @@ def _key_to_file(self, session_key=None):
38 36 # Make sure we're not vulnerable to directory traversal. Session keys
39 37 # should always be md5s, so they should never contain directory
40 38 # components.
41   - if not set(session_key).issubset(self.VALID_KEY_CHARS):
  39 + if not set(session_key).issubset(set(self.VALID_KEY_CHARS)):
42 40 raise SuspiciousOperation(
43 41 "Invalid characters in session key")
44 42

0 comments on commit f5700b9

Please sign in to comment.
Something went wrong with that request. Please try again.