Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On File Backend Only

2013-05-19 15:25:49 +02:00 · 2013-05-19 15:25:49 +02:00 · f88700d610
parent a9b98f59aa
commit f88700d610
3 changed files with 12 additions and 4 deletions
--- a/1
+++ b/1
@ -492,6 +492,7 @@ answer newbie questions, and generally made Django that much better:
    Alex Robbins <alexander.j.robbins@gmail.com>
    Matt Robenolt <m@robenolt.com>
    Henrique Romano <onaiort@gmail.com>
+    Erik Romijn <django@solidlinks.nl>
    Armin Ronacher
    Daniel Roseman <http://roseman.org.uk/>
    Rozza <ross.lawley@gmail.com>
--- a/django/contrib/sessions/backends/file.py
+++ b/django/contrib/sessions/backends/file.py
@ -86,7 +86,7 @@ class SessionStore(SessionBase):
                    session_data = {}
                    self.delete()
                    self.create()
-        except IOError:
+        except (IOError, SuspiciousOperation):
            self.create()
        return session_data

--- a/django/contrib/sessions/tests.py
+++ b/django/contrib/sessions/tests.py
@ -403,14 +403,21 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase):
        self.assertRaises(ImproperlyConfigured, self.backend)

    def test_invalid_key_backslash(self):
-        # Ensure we don't allow directory-traversal
+        # This key should be refused and a new session should be created
+        self.assertTrue(self.backend("a\\b\\c").load())
+
+    def test_invalid_key_backslash(self):
+        # Ensure we don't allow directory-traversal.
+        # This is tested directly on _key_to_file, as load() will swallow
+        # a SuspiciousOperation in the same way as an IOError - by creating
+        # a new session, making it unclear whether the slashes were detected.
        self.assertRaises(SuspiciousOperation,
-                          self.backend("a\\b\\c").load)
+                          self.backend()._key_to_file, "a\\b\\c")

    def test_invalid_key_forwardslash(self):
        # Ensure we don't allow directory-traversal
        self.assertRaises(SuspiciousOperation,
-                          self.backend("a/b/c").load)
+                          self.backend()._key_to_file, "a/b/c")

    @override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file")
    def test_clearsessions_command(self):