Fixed #19356 -- Increased session key entropy.
This commit is contained in:
parent
b7e44313bb
commit
d913a8b412
|
@ -6,6 +6,7 @@ try:
|
||||||
from django.utils.six.moves import cPickle as pickle
|
from django.utils.six.moves import cPickle as pickle
|
||||||
except ImportError:
|
except ImportError:
|
||||||
import pickle
|
import pickle
|
||||||
|
import string
|
||||||
|
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.core.exceptions import SuspiciousOperation
|
from django.core.exceptions import SuspiciousOperation
|
||||||
|
@ -15,6 +16,10 @@ from django.utils.crypto import salted_hmac
|
||||||
from django.utils import timezone
|
from django.utils import timezone
|
||||||
from django.utils.encoding import force_bytes
|
from django.utils.encoding import force_bytes
|
||||||
|
|
||||||
|
# session_key should not be case sensitive because some backends can store it
|
||||||
|
# on case insensitive file systems.
|
||||||
|
VALID_KEY_CHARS = string.ascii_lowercase + string.digits
|
||||||
|
|
||||||
class CreateError(Exception):
|
class CreateError(Exception):
|
||||||
"""
|
"""
|
||||||
Used internally as a consistent exception type to catch from save (see the
|
Used internally as a consistent exception type to catch from save (see the
|
||||||
|
@ -132,12 +137,8 @@ class SessionBase(object):
|
||||||
|
|
||||||
def _get_new_session_key(self):
|
def _get_new_session_key(self):
|
||||||
"Returns session key that isn't being used."
|
"Returns session key that isn't being used."
|
||||||
# Todo: move to 0-9a-z charset in 1.5
|
|
||||||
hex_chars = '1234567890abcdef'
|
|
||||||
# session_key should not be case sensitive because some backends
|
|
||||||
# can store it on case insensitive file systems.
|
|
||||||
while True:
|
while True:
|
||||||
session_key = get_random_string(32, hex_chars)
|
session_key = get_random_string(32, VALID_KEY_CHARS)
|
||||||
if not self.exists(session_key):
|
if not self.exists(session_key):
|
||||||
break
|
break
|
||||||
return session_key
|
return session_key
|
||||||
|
|
|
@ -4,7 +4,7 @@ import os
|
||||||
import tempfile
|
import tempfile
|
||||||
|
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.contrib.sessions.backends.base import SessionBase, CreateError
|
from django.contrib.sessions.backends.base import SessionBase, CreateError, VALID_KEY_CHARS
|
||||||
from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured
|
from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured
|
||||||
from django.utils import timezone
|
from django.utils import timezone
|
||||||
|
|
||||||
|
@ -36,8 +36,6 @@ class SessionStore(SessionBase):
|
||||||
cls._storage_path = storage_path
|
cls._storage_path = storage_path
|
||||||
return storage_path
|
return storage_path
|
||||||
|
|
||||||
VALID_KEY_CHARS = set("abcdef0123456789")
|
|
||||||
|
|
||||||
def _key_to_file(self, session_key=None):
|
def _key_to_file(self, session_key=None):
|
||||||
"""
|
"""
|
||||||
Get the file associated with this session key.
|
Get the file associated with this session key.
|
||||||
|
@ -48,7 +46,7 @@ class SessionStore(SessionBase):
|
||||||
# Make sure we're not vulnerable to directory traversal. Session keys
|
# Make sure we're not vulnerable to directory traversal. Session keys
|
||||||
# should always be md5s, so they should never contain directory
|
# should always be md5s, so they should never contain directory
|
||||||
# components.
|
# components.
|
||||||
if not set(session_key).issubset(self.VALID_KEY_CHARS):
|
if not set(session_key).issubset(set(VALID_KEY_CHARS)):
|
||||||
raise SuspiciousOperation(
|
raise SuspiciousOperation(
|
||||||
"Invalid characters in session key")
|
"Invalid characters in session key")
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue