File tree 2 files changed +15
-2
lines changed
2 files changed +15
-2
lines changed Original file line number Diff line number Diff line change @@ -26,6 +26,8 @@ def __init__(self, session_key=None):
2626 self .file_prefix = settings .SESSION_COOKIE_NAME
2727 super (SessionStore , self ).__init__ (session_key )
2828
29+ VALID_KEY_CHARS = set ("abcdef0123456789" )
30+
2931 def _key_to_file (self , session_key = None ):
3032 """
3133 Get the file associated with this session key.
@@ -36,9 +38,9 @@ def _key_to_file(self, session_key=None):
3638 # Make sure we're not vulnerable to directory traversal. Session keys
3739 # should always be md5s, so they should never contain directory
3840 # components.
39- if os . path . sep in session_key :
41+ if not set ( session_key ). issubset ( self . VALID_KEY_CHARS ) :
4042 raise SuspiciousOperation (
41- "Invalid characters (directory components) in session key" )
43+ "Invalid characters in session key" )
4244
4345 return os .path .join (self .storage_path , self .file_prefix + session_key )
4446
Original file line number Diff line number Diff line change 129129>>> file_session = FileSession(file_session.session_key)
130130>>> file_session.save()
131131
132+ # Ensure we don't allow directory traversal
133+ >>> FileSession("a/b/c").load()
134+ Traceback (innermost last):
135+ ...
136+ SuspiciousOperation: Invalid characters in session key
137+
138+ >>> FileSession("a\\b\\c").load()
139+ Traceback (innermost last):
140+ ...
141+ SuspiciousOperation: Invalid characters in session key
142+
132143# Make sure the file backend checks for a good storage dir
133144>>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
134145>>> FileSession()
You can’t perform that action at this time.
0 commit comments