Tree - rpms/python-cherrypy - src.fedoraproject.org

rpms / python-cherrypy

Overview Files Commits Branches Forks Releases

Monitoring status:

Bugzilla Assignee:

Fedora:: mrunge
EPEL:: mrunge

Files

Commit: d6211acc9879d0a0aa7ae2805928f8ad91aaaf68

Blob Blame History Raw

diff -up CherryPy-2.2.1/cherrypy/filters/sessionfilter.py.sessionfix CherryPy-2.2.1/cherrypy/filters/sessionfilter.py
--- CherryPy-2.2.1/cherrypy/filters/sessionfilter.py.sessionfix	2008-01-06 08:54:39.000000000 -0800
+++ CherryPy-2.2.1/cherrypy/filters/sessionfilter.py	2008-01-06 08:55:31.000000000 -0800
@@ -326,6 +326,8 @@ class FileStorage:
             raise SessionStoragePathNotConfiguredError()
         fileName = self.SESSION_PREFIX + id
         file_path = os.path.join(storage_path, fileName)
+        if not os.path.normpath(filePath).startswith(storagePath):
+            raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
         return file_path
     
     def _lock_file(self, path):

rpms / python-cherrypy

Source Code

Files