Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

[1.2.X] Fixed a security issue in the file session backend. Disclosur…

…e and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15468 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 194566480b15cf4e294d3f03ff587019b74044b2 1 parent 818e703
@alex alex authored
View
6 django/contrib/sessions/backends/file.py
@@ -26,6 +26,8 @@ def __init__(self, session_key=None):
self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
+ VALID_KEY_CHARS = set("abcdef0123456789")
+
def _key_to_file(self, session_key=None):
"""
Get the file associated with this session key.
@@ -36,9 +38,9 @@ def _key_to_file(self, session_key=None):
# Make sure we're not vulnerable to directory traversal. Session keys
# should always be md5s, so they should never contain directory
# components.
- if os.path.sep in session_key:
+ if not set(session_key).issubset(self.VALID_KEY_CHARS):
raise SuspiciousOperation(
- "Invalid characters (directory components) in session key")
+ "Invalid characters in session key")
return os.path.join(self.storage_path, self.file_prefix + session_key)
View
11 django/contrib/sessions/tests.py
@@ -129,6 +129,17 @@
>>> file_session = FileSession(file_session.session_key)
>>> file_session.save()
+# Ensure we don't allow directory traversal
+>>> FileSession("a/b/c").load()
+Traceback (innermost last):
+ ...
+SuspiciousOperation: Invalid characters in session key
+
+>>> FileSession("a\\b\\c").load()
+Traceback (innermost last):
+ ...
+SuspiciousOperation: Invalid characters in session key
+
# Make sure the file backend checks for a good storage dir
>>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
>>> FileSession()

0 comments on commit 1945664

Please sign in to comment.
Something went wrong with that request. Please try again.