Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
208630aa4b
commit
6ca7c9c495
|
@ -26,6 +26,8 @@ class SessionStore(SessionBase):
|
||||||
self.file_prefix = settings.SESSION_COOKIE_NAME
|
self.file_prefix = settings.SESSION_COOKIE_NAME
|
||||||
super(SessionStore, self).__init__(session_key)
|
super(SessionStore, self).__init__(session_key)
|
||||||
|
|
||||||
|
VALID_KEY_CHARS = set("abcdef0123456789")
|
||||||
|
|
||||||
def _key_to_file(self, session_key=None):
|
def _key_to_file(self, session_key=None):
|
||||||
"""
|
"""
|
||||||
Get the file associated with this session key.
|
Get the file associated with this session key.
|
||||||
|
@ -36,9 +38,9 @@ class SessionStore(SessionBase):
|
||||||
# Make sure we're not vulnerable to directory traversal. Session keys
|
# Make sure we're not vulnerable to directory traversal. Session keys
|
||||||
# should always be md5s, so they should never contain directory
|
# should always be md5s, so they should never contain directory
|
||||||
# components.
|
# components.
|
||||||
if os.path.sep in session_key:
|
if not set(session_key).issubset(self.VALID_KEY_CHARS):
|
||||||
raise SuspiciousOperation(
|
raise SuspiciousOperation(
|
||||||
"Invalid characters (directory components) in session key")
|
"Invalid characters in session key")
|
||||||
|
|
||||||
return os.path.join(self.storage_path, self.file_prefix + session_key)
|
return os.path.join(self.storage_path, self.file_prefix + session_key)
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ from django.contrib.sessions.backends.cached_db import SessionStore as CacheDBSe
|
||||||
from django.contrib.sessions.backends.file import SessionStore as FileSession
|
from django.contrib.sessions.backends.file import SessionStore as FileSession
|
||||||
from django.contrib.sessions.models import Session
|
from django.contrib.sessions.models import Session
|
||||||
from django.contrib.sessions.middleware import SessionMiddleware
|
from django.contrib.sessions.middleware import SessionMiddleware
|
||||||
from django.core.exceptions import ImproperlyConfigured
|
from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
|
||||||
from django.http import HttpResponse
|
from django.http import HttpResponse
|
||||||
from django.test import TestCase, RequestFactory
|
from django.test import TestCase, RequestFactory
|
||||||
from django.utils import unittest
|
from django.utils import unittest
|
||||||
|
@ -322,6 +322,16 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase):
|
||||||
settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
|
settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
|
||||||
self.assertRaises(ImproperlyConfigured, self.backend)
|
self.assertRaises(ImproperlyConfigured, self.backend)
|
||||||
|
|
||||||
|
def test_invalid_key_backslash(self):
|
||||||
|
# Ensure we don't allow directory-traversal
|
||||||
|
self.assertRaises(SuspiciousOperation,
|
||||||
|
self.backend("a\\b\\c").load)
|
||||||
|
|
||||||
|
def test_invalid_key_forwardslash(self):
|
||||||
|
# Ensure we don't allow directory-traversal
|
||||||
|
self.assertRaises(SuspiciousOperation,
|
||||||
|
self.backend("a/b/c").load)
|
||||||
|
|
||||||
|
|
||||||
class CacheSessionTests(SessionTestsMixin, unittest.TestCase):
|
class CacheSessionTests(SessionTestsMixin, unittest.TestCase):
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue