test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On File Backend Only

This commit is contained in:
Erik Romijn 2013-05-19 15:25:49 +02:00 committed by Aymeric Augustin
parent a9b98f59aa
commit f88700d610
3 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@ -492,6 +492,7 @@ answer newbie questions, and generally made Django that much better:
Alex Robbins <alexander.j.robbins@gmail.com> Alex Robbins <alexander.j.robbins@gmail.com>
Matt Robenolt <m@robenolt.com> Matt Robenolt <m@robenolt.com>
Henrique Romano <onaiort@gmail.com> Henrique Romano <onaiort@gmail.com>
Erik Romijn <django@solidlinks.nl>
Armin Ronacher Armin Ronacher
Daniel Roseman <http://roseman.org.uk/> Daniel Roseman <http://roseman.org.uk/>
Rozza <ross.lawley@gmail.com> Rozza <ross.lawley@gmail.com>

2
django/contrib/sessions/backends/file.py
View File

@ -86,7 +86,7 @@ class SessionStore(SessionBase):
session_data = {} session_data = {}
self.delete() self.delete()
self.create() self.create()
except IOError: except (IOError, SuspiciousOperation):
self.create() self.create()
return session_data return session_data

13
django/contrib/sessions/tests.py
View File

@ -403,14 +403,21 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase):
self.assertRaises(ImproperlyConfigured, self.backend) self.assertRaises(ImproperlyConfigured, self.backend)
def test_invalid_key_backslash(self): def test_invalid_key_backslash(self):
# Ensure we don't allow directory-traversal # This key should be refused and a new session should be created
self.assertTrue(self.backend("a\\b\\c").load())
def test_invalid_key_backslash(self):
# Ensure we don't allow directory-traversal.
# This is tested directly on _key_to_file, as load() will swallow
# a SuspiciousOperation in the same way as an IOError - by creating
# a new session, making it unclear whether the slashes were detected.
self.assertRaises(SuspiciousOperation, self.assertRaises(SuspiciousOperation,
self.backend("a\\b\\c").load) self.backend()._key_to_file, "a\\b\\c")
def test_invalid_key_forwardslash(self): def test_invalid_key_forwardslash(self):
# Ensure we don't allow directory-traversal # Ensure we don't allow directory-traversal
self.assertRaises(SuspiciousOperation, self.assertRaises(SuspiciousOperation,
self.backend("a/b/c").load) self.backend()._key_to_file, "a/b/c")
@override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file") @override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file")
def test_clearsessions_command(self): def test_clearsessions_command(self):