diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2011-02-09 02:14:24 +0000 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2011-02-09 02:14:24 +0000 |
| commit | 570a32a047ea56265646217264b0d3dab1a14dbd (patch) | |
| tree | 05dbdfa396e8ef6da1cd83c8afd988234055d43f | |
| parent | 408c5c873ce1437c7eee9544ff279ecbad7e150a (diff) | |
[1.1.X] Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15469 bcc190cf-cafb-0310-a4f2-bffc1f526a37
| -rw-r--r-- | django/contrib/sessions/backends/file.py | 6 | ||||
| -rw-r--r-- | django/contrib/sessions/tests.py | 11 |
2 files changed, 15 insertions, 2 deletions
diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py index 3f6350345f..c3516ea328 100644 --- a/django/contrib/sessions/backends/file.py +++ b/django/contrib/sessions/backends/file.py @@ -26,6 +26,8 @@ class SessionStore(SessionBase): self.file_prefix = settings.SESSION_COOKIE_NAME super(SessionStore, self).__init__(session_key) + VALID_KEY_CHARS = set("abcdef0123456789") + def _key_to_file(self, session_key=None): """ Get the file associated with this session key. @@ -36,9 +38,9 @@ class SessionStore(SessionBase): # Make sure we're not vulnerable to directory traversal. Session keys # should always be md5s, so they should never contain directory # components. - if os.path.sep in session_key: + if not set(session_key).issubset(self.VALID_KEY_CHARS): raise SuspiciousOperation( - "Invalid characters (directory components) in session key") + "Invalid characters in session key") return os.path.join(self.storage_path, self.file_prefix + session_key) diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py index f0a3c4ec8c..01faab859c 100644 --- a/django/contrib/sessions/tests.py +++ b/django/contrib/sessions/tests.py @@ -129,6 +129,17 @@ True >>> file_session = FileSession(file_session.session_key) >>> file_session.save() +# Ensure we don't allow directory traversal +>>> FileSession("a/b/c").load() +Traceback (innermost last): + ... +SuspiciousOperation: Invalid characters in session key + +>>> FileSession("a\\b\\c").load() +Traceback (innermost last): + ... +SuspiciousOperation: Invalid characters in session key + # Make sure the file backend checks for a good storage dir >>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer" >>> FileSession() |