Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On F…

…ile Backend Only
  • Loading branch information...
commit f88700d610d69ba5b44ab7b0692f8792aab3b54b 1 parent a9b98f5
Erik Romijn authored May 19, 2013 aaugustin committed May 19, 2013
1  AUTHORS
@@ -492,6 +492,7 @@ answer newbie questions, and generally made Django that much better:
492 492
     Alex Robbins <alexander.j.robbins@gmail.com>
493 493
     Matt Robenolt <m@robenolt.com>
494 494
     Henrique Romano <onaiort@gmail.com>
  495
+    Erik Romijn <django@solidlinks.nl>
495 496
     Armin Ronacher
496 497
     Daniel Roseman <http://roseman.org.uk/>
497 498
     Rozza <ross.lawley@gmail.com>
2  django/contrib/sessions/backends/file.py
@@ -86,7 +86,7 @@ def load(self):
86 86
                     session_data = {}
87 87
                     self.delete()
88 88
                     self.create()
89  
-        except IOError:
  89
+        except (IOError, SuspiciousOperation):
90 90
             self.create()
91 91
         return session_data
92 92
 
13  django/contrib/sessions/tests.py
@@ -403,14 +403,21 @@ def test_configuration_check(self):
403 403
         self.assertRaises(ImproperlyConfigured, self.backend)
404 404
 
405 405
     def test_invalid_key_backslash(self):
406  
-        # Ensure we don't allow directory-traversal
  406
+        # This key should be refused and a new session should be created
  407
+        self.assertTrue(self.backend("a\\b\\c").load())
  408
+
  409
+    def test_invalid_key_backslash(self):
  410
+        # Ensure we don't allow directory-traversal.
  411
+        # This is tested directly on _key_to_file, as load() will swallow
  412
+        # a SuspiciousOperation in the same way as an IOError - by creating
  413
+        # a new session, making it unclear whether the slashes were detected.
407 414
         self.assertRaises(SuspiciousOperation,
408  
-                          self.backend("a\\b\\c").load)
  415
+                          self.backend()._key_to_file, "a\\b\\c")
409 416
 
410 417
     def test_invalid_key_forwardslash(self):
411 418
         # Ensure we don't allow directory-traversal
412 419
         self.assertRaises(SuspiciousOperation,
413  
-                          self.backend("a/b/c").load)
  420
+                          self.backend()._key_to_file, "a/b/c")
414 421
 
415 422
     @override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file")
416 423
     def test_clearsessions_command(self):

0 notes on commit f88700d

Please sign in to comment.
Something went wrong with that request. Please try again.