Loading django/contrib/sessions/backends/base.py +6 −5 Original line number Diff line number Diff line Loading @@ -6,6 +6,7 @@ try: from django.utils.six.moves import cPickle as pickle except ImportError: import pickle import string from django.conf import settings from django.core.exceptions import SuspiciousOperation Loading @@ -15,6 +16,10 @@ from django.utils.crypto import salted_hmac from django.utils import timezone from django.utils.encoding import force_bytes # session_key should not be case sensitive because some backends can store it # on case insensitive file systems. VALID_KEY_CHARS = string.ascii_lowercase + string.digits class CreateError(Exception): """ Used internally as a consistent exception type to catch from save (see the Loading Loading @@ -132,12 +137,8 @@ class SessionBase(object): def _get_new_session_key(self): "Returns session key that isn't being used." # Todo: move to 0-9a-z charset in 1.5 hex_chars = '1234567890abcdef' # session_key should not be case sensitive because some backends # can store it on case insensitive file systems. while True: session_key = get_random_string(32, hex_chars) session_key = get_random_string(32, VALID_KEY_CHARS) if not self.exists(session_key): break return session_key Loading django/contrib/sessions/backends/file.py +2 −4 Original line number Diff line number Diff line Loading @@ -4,7 +4,7 @@ import os import tempfile from django.conf import settings from django.contrib.sessions.backends.base import SessionBase, CreateError from django.contrib.sessions.backends.base import SessionBase, CreateError, VALID_KEY_CHARS from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured from django.utils import timezone Loading Loading @@ -36,8 +36,6 @@ class SessionStore(SessionBase): cls._storage_path = storage_path return storage_path VALID_KEY_CHARS = set("abcdef0123456789") def _key_to_file(self, session_key=None): """ Get the file associated with this session key. Loading @@ -48,7 +46,7 @@ class SessionStore(SessionBase): # Make sure we're not vulnerable to directory traversal. Session keys # should always be md5s, so they should never contain directory # components. if not set(session_key).issubset(self.VALID_KEY_CHARS): if not set(session_key).issubset(set(VALID_KEY_CHARS)): raise SuspiciousOperation( "Invalid characters in session key") Loading Loading
django/contrib/sessions/backends/base.py +6 −5 Original line number Diff line number Diff line Loading @@ -6,6 +6,7 @@ try: from django.utils.six.moves import cPickle as pickle except ImportError: import pickle import string from django.conf import settings from django.core.exceptions import SuspiciousOperation Loading @@ -15,6 +16,10 @@ from django.utils.crypto import salted_hmac from django.utils import timezone from django.utils.encoding import force_bytes # session_key should not be case sensitive because some backends can store it # on case insensitive file systems. VALID_KEY_CHARS = string.ascii_lowercase + string.digits class CreateError(Exception): """ Used internally as a consistent exception type to catch from save (see the Loading Loading @@ -132,12 +137,8 @@ class SessionBase(object): def _get_new_session_key(self): "Returns session key that isn't being used." # Todo: move to 0-9a-z charset in 1.5 hex_chars = '1234567890abcdef' # session_key should not be case sensitive because some backends # can store it on case insensitive file systems. while True: session_key = get_random_string(32, hex_chars) session_key = get_random_string(32, VALID_KEY_CHARS) if not self.exists(session_key): break return session_key Loading
django/contrib/sessions/backends/file.py +2 −4 Original line number Diff line number Diff line Loading @@ -4,7 +4,7 @@ import os import tempfile from django.conf import settings from django.contrib.sessions.backends.base import SessionBase, CreateError from django.contrib.sessions.backends.base import SessionBase, CreateError, VALID_KEY_CHARS from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured from django.utils import timezone Loading Loading @@ -36,8 +36,6 @@ class SessionStore(SessionBase): cls._storage_path = storage_path return storage_path VALID_KEY_CHARS = set("abcdef0123456789") def _key_to_file(self, session_key=None): """ Get the file associated with this session key. Loading @@ -48,7 +46,7 @@ class SessionStore(SessionBase): # Make sure we're not vulnerable to directory traversal. Session keys # should always be md5s, so they should never contain directory # components. if not set(session_key).issubset(self.VALID_KEY_CHARS): if not set(session_key).issubset(set(VALID_KEY_CHARS)): raise SuspiciousOperation( "Invalid characters in session key") Loading
