p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixed a security issue in the file session backend. Disclosure and new release forthcoming. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Alex Gaynor 2011-02-09 02:13:24 +00:00
parent 208630aa4b
commit 6ca7c9c495
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
django/contrib/sessions/backends/file.py
View File

@ -26,6 +26,8 @@ class SessionStore(SessionBase):
self.file_prefix = settings.SESSION_COOKIE_NAME self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key) super(SessionStore, self).__init__(session_key)
VALID_KEY_CHARS = set("abcdef0123456789")
def _key_to_file(self, session_key=None): def _key_to_file(self, session_key=None):
""" """
Get the file associated with this session key. Get the file associated with this session key.
@ -36,9 +38,9 @@ class SessionStore(SessionBase):
# Make sure we're not vulnerable to directory traversal. Session keys # Make sure we're not vulnerable to directory traversal. Session keys
# should always be md5s, so they should never contain directory # should always be md5s, so they should never contain directory
# components. # components.
if os.path.sep in session_key: if not set(session_key).issubset(self.VALID_KEY_CHARS):
raise SuspiciousOperation( raise SuspiciousOperation(
"Invalid characters (directory components) in session key") "Invalid characters in session key")
return os.path.join(self.storage_path, self.file_prefix + session_key) return os.path.join(self.storage_path, self.file_prefix + session_key)

12
django/contrib/sessions/tests.py
View File

@ -11,7 +11,7 @@ from django.contrib.sessions.backends.cached_db import SessionStore as CacheDBSe
from django.contrib.sessions.backends.file import SessionStore as FileSession from django.contrib.sessions.backends.file import SessionStore as FileSession
from django.contrib.sessions.models import Session from django.contrib.sessions.models import Session
from django.contrib.sessions.middleware import SessionMiddleware from django.contrib.sessions.middleware import SessionMiddleware
from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
from django.http import HttpResponse from django.http import HttpResponse
from django.test import TestCase, RequestFactory from django.test import TestCase, RequestFactory
from django.utils import unittest from django.utils import unittest
@ -322,6 +322,16 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase):
settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer" settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
self.assertRaises(ImproperlyConfigured, self.backend) self.assertRaises(ImproperlyConfigured, self.backend)
def test_invalid_key_backslash(self):
# Ensure we don't allow directory-traversal
self.assertRaises(SuspiciousOperation,
self.backend("a\\b\\c").load)
def test_invalid_key_forwardslash(self):
# Ensure we don't allow directory-traversal
self.assertRaises(SuspiciousOperation,
self.backend("a/b/c").load)
class CacheSessionTests(SessionTestsMixin, unittest.TestCase): class CacheSessionTests(SessionTestsMixin, unittest.TestCase):