Fixed #19356 -- Increased session key entropy.

2025-10-30 17:16:10 +00:00 · 2012-11-29 16:36:43 +01:00
parent b7e44313bb
commit d913a8b412
2 changed files with 8 additions and 9 deletions
--- a/django/contrib/sessions/backends/base.py
+++ b/django/contrib/sessions/backends/base.py
@@ -6,6 +6,7 @@ try:
    from django.utils.six.moves import cPickle as pickle
 except ImportError:
    import pickle
+import string

 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
@@ -15,6 +16,10 @@ from django.utils.crypto import salted_hmac
 from django.utils import timezone
 from django.utils.encoding import force_bytes

+# session_key should not be case sensitive because some backends can store it
+# on case insensitive file systems.
+VALID_KEY_CHARS = string.ascii_lowercase + string.digits
+
 class CreateError(Exception):
    """
    Used internally as a consistent exception type to catch from save (see the
@@ -132,12 +137,8 @@ class SessionBase(object):

    def _get_new_session_key(self):
        "Returns session key that isn't being used."
-        # Todo: move to 0-9a-z charset in 1.5
-        hex_chars = '1234567890abcdef'
-        # session_key should not be case sensitive because some backends
-        # can store it on case insensitive file systems.
        while True:
-            session_key = get_random_string(32, hex_chars)
+            session_key = get_random_string(32, VALID_KEY_CHARS)
            if not self.exists(session_key):
                break
        return session_key
--- a/django/contrib/sessions/backends/file.py
+++ b/django/contrib/sessions/backends/file.py
@@ -4,7 +4,7 @@ import os
 import tempfile

 from django.conf import settings
-from django.contrib.sessions.backends.base import SessionBase, CreateError
+from django.contrib.sessions.backends.base import SessionBase, CreateError, VALID_KEY_CHARS
 from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured
 from django.utils import timezone

@@ -36,8 +36,6 @@ class SessionStore(SessionBase):
            cls._storage_path = storage_path
            return storage_path

-    VALID_KEY_CHARS = set("abcdef0123456789")
-
    def _key_to_file(self, session_key=None):
        """
        Get the file associated with this session key.
@@ -48,7 +46,7 @@ class SessionStore(SessionBase):
        # Make sure we're not vulnerable to directory traversal. Session keys
        # should always be md5s, so they should never contain directory
        # components.
-        if not set(session_key).issubset(self.VALID_KEY_CHARS):
+        if not set(session_key).issubset(set(VALID_KEY_CHARS)):
            raise SuspiciousOperation(
                "Invalid characters in session key")