Fixed a security issue in the file session backend. Disclosure and new release forthcoming.

        self.file_prefix = settings.SESSION_COOKIE_NAME

        super(SessionStore, self).__init__(session_key)

    VALID_KEY_CHARS = set("abcdef0123456789")

    def _key_to_file(self, session_key=None):

        """

        Get the file associated with this session key.

        # Make sure we're not vulnerable to directory traversal. Session keys

        # should always be md5s, so they should never contain directory

        # components.

        if os.path.sep in session_key:

        if not set(session_key).issubset(self.VALID_KEY_CHARS):

            raise SuspiciousOperation(

                "Invalid characters (directory components) in session key")

                "Invalid characters in session key")

        return os.path.join(self.storage_path, self.file_prefix + session_key)

from django.contrib.sessions.backends.file import SessionStore as FileSession

from django.contrib.sessions.models import Session

from django.contrib.sessions.middleware import SessionMiddleware

from django.core.exceptions import ImproperlyConfigured

from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation

from django.http import HttpResponse

from django.test import TestCase, RequestFactory

from django.utils import unittest

        settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"

        self.assertRaises(ImproperlyConfigured, self.backend)

    def test_invalid_key_backslash(self):

        # Ensure we don't allow directory-traversal

        self.assertRaises(SuspiciousOperation,

                          self.backend("a\\b\\c").load)

    def test_invalid_key_forwardslash(self):

        # Ensure we don't allow directory-traversal

        self.assertRaises(SuspiciousOperation,

                          self.backend("a/b/c").load)

class CacheSessionTests(SessionTestsMixin, unittest.TestCase):