Skip to content
Browse files

Fixed #19356 -- Increased session key entropy.

  • Loading branch information...
1 parent b7e4431 commit d913a8b41281c506451156bdebc9a1851cb49fae @aaugustin aaugustin committed
Showing with 8 additions and 9 deletions.
  1. +6 −5 django/contrib/sessions/backends/base.py
  2. +2 −4 django/contrib/sessions/backends/file.py
View
11 django/contrib/sessions/backends/base.py
@@ -6,6 +6,7 @@
from django.utils.six.moves import cPickle as pickle
except ImportError:
import pickle
+import string
from django.conf import settings
from django.core.exceptions import SuspiciousOperation
@@ -15,6 +16,10 @@
from django.utils import timezone
from django.utils.encoding import force_bytes
+# session_key should not be case sensitive because some backends can store it
+# on case insensitive file systems.
+VALID_KEY_CHARS = string.ascii_lowercase + string.digits
+
class CreateError(Exception):
"""
Used internally as a consistent exception type to catch from save (see the
@@ -132,12 +137,8 @@ def clear(self):
def _get_new_session_key(self):
"Returns session key that isn't being used."
- # Todo: move to 0-9a-z charset in 1.5
- hex_chars = '1234567890abcdef'
- # session_key should not be case sensitive because some backends
- # can store it on case insensitive file systems.
while True:
- session_key = get_random_string(32, hex_chars)
+ session_key = get_random_string(32, VALID_KEY_CHARS)
if not self.exists(session_key):
break
return session_key
View
6 django/contrib/sessions/backends/file.py
@@ -4,7 +4,7 @@
import tempfile
from django.conf import settings
-from django.contrib.sessions.backends.base import SessionBase, CreateError
+from django.contrib.sessions.backends.base import SessionBase, CreateError, VALID_KEY_CHARS
from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured
from django.utils import timezone
@@ -36,8 +36,6 @@ def _get_storage_path(cls):
cls._storage_path = storage_path
return storage_path
- VALID_KEY_CHARS = set("abcdef0123456789")
-
def _key_to_file(self, session_key=None):
"""
Get the file associated with this session key.
@@ -48,7 +46,7 @@ def _key_to_file(self, session_key=None):
# Make sure we're not vulnerable to directory traversal. Session keys
# should always be md5s, so they should never contain directory
# components.
- if not set(session_key).issubset(self.VALID_KEY_CHARS):
+ if not set(session_key).issubset(set(VALID_KEY_CHARS)):
raise SuspiciousOperation(
"Invalid characters in session key")

0 comments on commit d913a8b

Please sign in to comment.
Something went wrong with that request. Please try again.