security fix in session.py (tx Sławomir Błaże)

test/session.py

@@ -78,6 +78,14 @@ def testParallelSessions(self):
             self.assertEquals(b1.open('/count'), str(i+1))
             self.assertEquals(b2.open('/count'), str(i))
 
+    def testBadSessionId(self):
+        b = Browser(self.app)
+        self.assertEquals(b.open('/count'), '1')
+        self.assertEquals(b.open('/count'), '2')
+
+        b.cookies['webpy_session_id'] = '/etc/password'
+        self.assertEquals(b.open('/count'), '1')
+
 class DBSessionTest(SessionTest):
     """Session test with db store."""
     def make_session(self, app):

web/session.py

@@ -65,7 +65,11 @@ def _load(self):
         cookie_name = self._config.cookie_name
         cookie_domain = self._config.cookie_domain
         self.session_id = web.cookies().get(cookie_name)
-
+
+        # protection against session_id tampering
+        if self.session_id and not self._valid_session_id(self.session_id):
+            self.session_id = None
+
         self._check_expiry()
         if self.session_id:
             d = self.store[self.session_id]
@@ -118,6 +122,10 @@ def _generate_session_id(self):
             if session_id not in self.store:
                 break
         return session_id
+
+    def _valid_session_id(self, session_id):
+        rx = utils.re_compile('^[0-9a-fA-F]+$')
+        return rx.match(session_id)
 
     def _cleanup(self):
         """Cleanup the stored sessions"""
@@ -183,22 +191,27 @@ def __init__(self, root):
         if not os.path.exists(root):
             os.mkdir(root)
         self.root = root
+
+    def _get_path(self, key):
+        if os.path.sep in key: 
+            raise ValueError, "Bad key: %s" % repr(key)
+        return os.path.join(self.root, key)
 
     def __contains__(self, key):
-        path = os.path.join(self.root, key)
+        path = self._get_path(key)
         return os.path.exists(path)
 
     def __getitem__(self, key):
-        path = os.path.join(self.root, key)
+        path = self._get_path(key)
         if os.path.exists(path): 
             pickled = open(path).read()
             return self.decode(pickled)
         else:
             raise KeyError, key
 
     def __setitem__(self, key, value):
+        path = self._get_path(key)
         pickled = self.encode(value)    
-        path = os.path.join(self.root, key)
         try:
             f = open(path, 'w')
             try:
@@ -209,14 +222,14 @@ def __setitem__(self, key, value):
             pass
 
     def __delitem__(self, key):
-        path = os.path.join(self.root, key)
+        path = self._get_path(key)
         if os.path.exists(path):
             os.remove(path)
 
     def cleanup(self, timeout):
         now = time.time()
         for f in os.listdir(self.root):
-            path = os.path.join(self.root, f)
+            path = self._get_path(f)
             atime = os.stat(path).st_atime
             if now - atime > timeout :
                 os.remove(path)