From f88700d610d69ba5b44ab7b0692f8792aab3b54b Mon Sep 17 00:00:00 2001
From: Erik Romijn <eromijn@solidlinks.nl>
Date: Sun, 19 May 2013 15:25:49 +0200
Subject: [PATCH] Fix #19664 -- Illegal Characters In Session Key Give Fatal
 Error On File Backend Only

---
 AUTHORS                                  |  1 +
 django/contrib/sessions/backends/file.py |  2 +-
 django/contrib/sessions/tests.py         | 13 ++++++++++---
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/AUTHORS b/AUTHORS
index dd3b292311..771e5e6270 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -492,6 +492,7 @@ answer newbie questions, and generally made Django that much better:
     Alex Robbins <alexander.j.robbins@gmail.com>
     Matt Robenolt <m@robenolt.com>
     Henrique Romano <onaiort@gmail.com>
+    Erik Romijn <django@solidlinks.nl>
     Armin Ronacher
     Daniel Roseman <http://roseman.org.uk/>
     Rozza <ross.lawley@gmail.com>
diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py
index 9588680fea..3c3408e9a8 100644
--- a/django/contrib/sessions/backends/file.py
+++ b/django/contrib/sessions/backends/file.py
@@ -86,7 +86,7 @@ class SessionStore(SessionBase):
                     session_data = {}
                     self.delete()
                     self.create()
-        except IOError:
+        except (IOError, SuspiciousOperation):
             self.create()
         return session_data
 
diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py
index 8bcc505ee6..1a7286e77e 100644
--- a/django/contrib/sessions/tests.py
+++ b/django/contrib/sessions/tests.py
@@ -403,14 +403,21 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase):
         self.assertRaises(ImproperlyConfigured, self.backend)
 
     def test_invalid_key_backslash(self):
-        # Ensure we don't allow directory-traversal
+        # This key should be refused and a new session should be created
+        self.assertTrue(self.backend("a\\b\\c").load())
+
+    def test_invalid_key_backslash(self):
+        # Ensure we don't allow directory-traversal.
+        # This is tested directly on _key_to_file, as load() will swallow
+        # a SuspiciousOperation in the same way as an IOError - by creating
+        # a new session, making it unclear whether the slashes were detected.
         self.assertRaises(SuspiciousOperation,
-                          self.backend("a\\b\\c").load)
+                          self.backend()._key_to_file, "a\\b\\c")
 
     def test_invalid_key_forwardslash(self):
         # Ensure we don't allow directory-traversal
         self.assertRaises(SuspiciousOperation,
-                          self.backend("a/b/c").load)
+                          self.backend()._key_to_file, "a/b/c")
 
     @override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file")
     def test_clearsessions_command(self):