Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On F…

…ile Backend Only
  • Loading branch information...
commit f88700d610d69ba5b44ab7b0692f8792aab3b54b 1 parent a9b98f5
Erik Romijn erikr authored aaugustin committed
1  AUTHORS
View
@@ -492,6 +492,7 @@ answer newbie questions, and generally made Django that much better:
Alex Robbins <alexander.j.robbins@gmail.com>
Matt Robenolt <m@robenolt.com>
Henrique Romano <onaiort@gmail.com>
+ Erik Romijn <django@solidlinks.nl>
Armin Ronacher
Daniel Roseman <http://roseman.org.uk/>
Rozza <ross.lawley@gmail.com>
2  django/contrib/sessions/backends/file.py
View
@@ -86,7 +86,7 @@ def load(self):
session_data = {}
self.delete()
self.create()
- except IOError:
+ except (IOError, SuspiciousOperation):
self.create()
return session_data
13 django/contrib/sessions/tests.py
View
@@ -403,14 +403,21 @@ def test_configuration_check(self):
self.assertRaises(ImproperlyConfigured, self.backend)
def test_invalid_key_backslash(self):
- # Ensure we don't allow directory-traversal
+ # This key should be refused and a new session should be created
+ self.assertTrue(self.backend("a\\b\\c").load())
+
+ def test_invalid_key_backslash(self):
+ # Ensure we don't allow directory-traversal.
+ # This is tested directly on _key_to_file, as load() will swallow
+ # a SuspiciousOperation in the same way as an IOError - by creating
+ # a new session, making it unclear whether the slashes were detected.
self.assertRaises(SuspiciousOperation,
- self.backend("a\\b\\c").load)
+ self.backend()._key_to_file, "a\\b\\c")
def test_invalid_key_forwardslash(self):
# Ensure we don't allow directory-traversal
self.assertRaises(SuspiciousOperation,
- self.backend("a/b/c").load)
+ self.backend()._key_to_file, "a/b/c")
@override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file")
def test_clearsessions_command(self):
Please sign in to comment.
Something went wrong with that request. Please try again.