From 570a32a047ea56265646217264b0d3dab1a14dbd Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Wed, 9 Feb 2011 02:14:24 +0000
Subject: [PATCH] [1.1.X] Fixed a security issue in the file session backend. 
 Disclosure and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15469 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/contrib/sessions/backends/file.py |  6 ++++--
 django/contrib/sessions/tests.py         | 11 +++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py
index 3f6350345f..c3516ea328 100644
--- a/django/contrib/sessions/backends/file.py
+++ b/django/contrib/sessions/backends/file.py
@@ -26,6 +26,8 @@ class SessionStore(SessionBase):
         self.file_prefix = settings.SESSION_COOKIE_NAME
         super(SessionStore, self).__init__(session_key)
 
+    VALID_KEY_CHARS = set("abcdef0123456789")
+
     def _key_to_file(self, session_key=None):
         """
         Get the file associated with this session key.
@@ -36,9 +38,9 @@ class SessionStore(SessionBase):
         # Make sure we're not vulnerable to directory traversal. Session keys
         # should always be md5s, so they should never contain directory
         # components.
-        if os.path.sep in session_key:
+        if not set(session_key).issubset(self.VALID_KEY_CHARS):
             raise SuspiciousOperation(
-                "Invalid characters (directory components) in session key")
+                "Invalid characters in session key")
 
         return os.path.join(self.storage_path, self.file_prefix + session_key)
 
diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py
index f0a3c4ec8c..01faab859c 100644
--- a/django/contrib/sessions/tests.py
+++ b/django/contrib/sessions/tests.py
@@ -129,6 +129,17 @@ True
 >>> file_session = FileSession(file_session.session_key)
 >>> file_session.save()
 
+# Ensure we don't allow directory traversal
+>>> FileSession("a/b/c").load()
+Traceback (innermost last):
+    ...
+SuspiciousOperation: Invalid characters in session key
+
+>>> FileSession("a\\b\\c").load()
+Traceback (innermost last):
+    ...
+SuspiciousOperation: Invalid characters in session key
+
 # Make sure the file backend checks for a good storage dir
 >>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
 >>> FileSession()