+15
-2
lines changedFilter options
+15
-2
lines changed Original file line number Diff line number Diff line change
@@ -26,6 +26,8 @@ def __init__(self, session_key=None):
26 26
self.file_prefix = settings.SESSION_COOKIE_NAME
27 27
super(SessionStore, self).__init__(session_key)
28 28 29 +
VALID_KEY_CHARS = set("abcdef0123456789")
30 + 29 31
def _key_to_file(self, session_key=None):
30 32
"""
31 33
Get the file associated with this session key.
@@ -36,9 +38,9 @@ def _key_to_file(self, session_key=None):
36 38
# Make sure we're not vulnerable to directory traversal. Session keys
37 39
# should always be md5s, so they should never contain directory
38 40
# components.
39 -
if os.path.sep in session_key:
41 +
if not set(session_key).issubset(self.VALID_KEY_CHARS):
40 42
raise SuspiciousOperation(
41 -
"Invalid characters (directory components) in session key")
43 +
"Invalid characters in session key")
42 44 43 45
return os.path.join(self.storage_path, self.file_prefix + session_key)
44 46
@@ -129,6 +129,17 @@
129 129
>>> file_session = FileSession(file_session.session_key)
130 130
>>> file_session.save()
131 131 132 +
# Ensure we don't allow directory traversal
133 +
>>> FileSession("a/b/c").load()
134 +
Traceback (innermost last):
135 +
...
136 +
SuspiciousOperation: Invalid characters in session key
137 + 138 +
>>> FileSession("a\\b\\c").load()
139 +
Traceback (innermost last):
140 +
...
141 +
SuspiciousOperation: Invalid characters in session key
142 + 132 143
# Make sure the file backend checks for a good storage dir
133 144
>>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
134 145
>>> FileSession()
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4