Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.1.X] Fixed a security issue in the file session backend. Disclosur…

…e and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15469 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 570a32a047ea56265646217264b0d3dab1a14dbd 1 parent 408c5c8
Alex Gaynor authored February 09, 2011
6  django/contrib/sessions/backends/file.py
@@ -26,6 +26,8 @@ def __init__(self, session_key=None):
26 26
         self.file_prefix = settings.SESSION_COOKIE_NAME
27 27
         super(SessionStore, self).__init__(session_key)
28 28
 
  29
+    VALID_KEY_CHARS = set("abcdef0123456789")
  30
+
29 31
     def _key_to_file(self, session_key=None):
30 32
         """
31 33
         Get the file associated with this session key.
@@ -36,9 +38,9 @@ def _key_to_file(self, session_key=None):
36 38
         # Make sure we're not vulnerable to directory traversal. Session keys
37 39
         # should always be md5s, so they should never contain directory
38 40
         # components.
39  
-        if os.path.sep in session_key:
  41
+        if not set(session_key).issubset(self.VALID_KEY_CHARS):
40 42
             raise SuspiciousOperation(
41  
-                "Invalid characters (directory components) in session key")
  43
+                "Invalid characters in session key")
42 44
 
43 45
         return os.path.join(self.storage_path, self.file_prefix + session_key)
44 46
 
11  django/contrib/sessions/tests.py
@@ -129,6 +129,17 @@
129 129
 >>> file_session = FileSession(file_session.session_key)
130 130
 >>> file_session.save()
131 131
 
  132
+# Ensure we don't allow directory traversal
  133
+>>> FileSession("a/b/c").load()
  134
+Traceback (innermost last):
  135
+    ...
  136
+SuspiciousOperation: Invalid characters in session key
  137
+
  138
+>>> FileSession("a\\b\\c").load()
  139
+Traceback (innermost last):
  140
+    ...
  141
+SuspiciousOperation: Invalid characters in session key
  142
+
132 143
 # Make sure the file backend checks for a good storage dir
133 144
 >>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
134 145
 >>> FileSession()

0 notes on commit 570a32a

Please sign in to comment.
Something went wrong with that request. Please try again.