From 6ca7c9c495d4195114a6b9d1130dc107921f83b2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Feb 2011 02:13:24 +0000 Subject: [PATCH] Fixed a security issue in the file session backend. Disclosure and new release forthcoming. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/sessions/backends/file.py | 6 ++++-- django/contrib/sessions/tests.py | 12 +++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py index 843edca9cf4..2c4e40dbc7a 100644 --- a/django/contrib/sessions/backends/file.py +++ b/django/contrib/sessions/backends/file.py @@ -26,6 +26,8 @@ class SessionStore(SessionBase): self.file_prefix = settings.SESSION_COOKIE_NAME super(SessionStore, self).__init__(session_key) + VALID_KEY_CHARS = set("abcdef0123456789") + def _key_to_file(self, session_key=None): """ Get the file associated with this session key. @@ -36,9 +38,9 @@ class SessionStore(SessionBase): # Make sure we're not vulnerable to directory traversal. Session keys # should always be md5s, so they should never contain directory # components. - if os.path.sep in session_key: + if not set(session_key).issubset(self.VALID_KEY_CHARS): raise SuspiciousOperation( - "Invalid characters (directory components) in session key") + "Invalid characters in session key") return os.path.join(self.storage_path, self.file_prefix + session_key) diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py index 941c7e811b3..afdb7618168 100644 --- a/django/contrib/sessions/tests.py +++ b/django/contrib/sessions/tests.py @@ -11,7 +11,7 @@ from django.contrib.sessions.backends.cached_db import SessionStore as CacheDBSe from django.contrib.sessions.backends.file import SessionStore as FileSession from django.contrib.sessions.models import Session from django.contrib.sessions.middleware import SessionMiddleware -from django.core.exceptions import ImproperlyConfigured +from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation from django.http import HttpResponse from django.test import TestCase, RequestFactory from django.utils import unittest @@ -322,6 +322,16 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase): settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer" self.assertRaises(ImproperlyConfigured, self.backend) + def test_invalid_key_backslash(self): + # Ensure we don't allow directory-traversal + self.assertRaises(SuspiciousOperation, + self.backend("a\\b\\c").load) + + def test_invalid_key_forwardslash(self): + # Ensure we don't allow directory-traversal + self.assertRaises(SuspiciousOperation, + self.backend("a/b/c").load) + class CacheSessionTests(SessionTestsMixin, unittest.TestCase):