Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Fixed a security issue in the file session backend. Disclosure and ne…

…w release forthcoming.

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 6ca7c9c495d4195114a6b9d1130dc107921f83b2 1 parent 208630a
@alex alex authored
6 django/contrib/sessions/backends/
@@ -26,6 +26,8 @@ def __init__(self, session_key=None):
self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
+ VALID_KEY_CHARS = set("abcdef0123456789")
def _key_to_file(self, session_key=None):
Get the file associated with this session key.
@@ -36,9 +38,9 @@ def _key_to_file(self, session_key=None):
# Make sure we're not vulnerable to directory traversal. Session keys
# should always be md5s, so they should never contain directory
# components.
- if os.path.sep in session_key:
+ if not set(session_key).issubset(self.VALID_KEY_CHARS):
raise SuspiciousOperation(
- "Invalid characters (directory components) in session key")
+ "Invalid characters in session key")
return os.path.join(self.storage_path, self.file_prefix + session_key)
12 django/contrib/sessions/
@@ -11,7 +11,7 @@
from django.contrib.sessions.backends.file import SessionStore as FileSession
from django.contrib.sessions.models import Session
from django.contrib.sessions.middleware import SessionMiddleware
-from django.core.exceptions import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
from django.http import HttpResponse
from django.test import TestCase, RequestFactory
from django.utils import unittest
@@ -322,6 +322,16 @@ def test_configuration_check(self):
settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
self.assertRaises(ImproperlyConfigured, self.backend)
+ def test_invalid_key_backslash(self):
+ # Ensure we don't allow directory-traversal
+ self.assertRaises(SuspiciousOperation,
+ self.backend("a\\b\\c").load)
+ def test_invalid_key_forwardslash(self):
+ # Ensure we don't allow directory-traversal
+ self.assertRaises(SuspiciousOperation,
+ self.backend("a/b/c").load)
class CacheSessionTests(SessionTestsMixin, unittest.TestCase):

0 comments on commit 6ca7c9c

Please sign in to comment.
Something went wrong with that request. Please try again.