mirror of https://github.com/django/django.git
Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On File Backend Only
This commit is contained in:
parent
a9b98f59aa
commit
f88700d610
1
AUTHORS
1
AUTHORS
|
@ -492,6 +492,7 @@ answer newbie questions, and generally made Django that much better:
|
|||
Alex Robbins <alexander.j.robbins@gmail.com>
|
||||
Matt Robenolt <m@robenolt.com>
|
||||
Henrique Romano <onaiort@gmail.com>
|
||||
Erik Romijn <django@solidlinks.nl>
|
||||
Armin Ronacher
|
||||
Daniel Roseman <http://roseman.org.uk/>
|
||||
Rozza <ross.lawley@gmail.com>
|
||||
|
|
|
@ -86,7 +86,7 @@ class SessionStore(SessionBase):
|
|||
session_data = {}
|
||||
self.delete()
|
||||
self.create()
|
||||
except IOError:
|
||||
except (IOError, SuspiciousOperation):
|
||||
self.create()
|
||||
return session_data
|
||||
|
||||
|
|
|
@ -403,14 +403,21 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase):
|
|||
self.assertRaises(ImproperlyConfigured, self.backend)
|
||||
|
||||
def test_invalid_key_backslash(self):
|
||||
# Ensure we don't allow directory-traversal
|
||||
# This key should be refused and a new session should be created
|
||||
self.assertTrue(self.backend("a\\b\\c").load())
|
||||
|
||||
def test_invalid_key_backslash(self):
|
||||
# Ensure we don't allow directory-traversal.
|
||||
# This is tested directly on _key_to_file, as load() will swallow
|
||||
# a SuspiciousOperation in the same way as an IOError - by creating
|
||||
# a new session, making it unclear whether the slashes were detected.
|
||||
self.assertRaises(SuspiciousOperation,
|
||||
self.backend("a\\b\\c").load)
|
||||
self.backend()._key_to_file, "a\\b\\c")
|
||||
|
||||
def test_invalid_key_forwardslash(self):
|
||||
# Ensure we don't allow directory-traversal
|
||||
self.assertRaises(SuspiciousOperation,
|
||||
self.backend("a/b/c").load)
|
||||
self.backend()._key_to_file, "a/b/c")
|
||||
|
||||
@override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file")
|
||||
def test_clearsessions_command(self):
|
||||
|
|
Loading…
Reference in New Issue