diff --git a/AUTHORS b/AUTHORS index dd3b292311..771e5e6270 100644 --- a/AUTHORS +++ b/AUTHORS @@ -492,6 +492,7 @@ answer newbie questions, and generally made Django that much better: Alex Robbins Matt Robenolt Henrique Romano + Erik Romijn Armin Ronacher Daniel Roseman Rozza diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py index 9588680fea..3c3408e9a8 100644 --- a/django/contrib/sessions/backends/file.py +++ b/django/contrib/sessions/backends/file.py @@ -86,7 +86,7 @@ class SessionStore(SessionBase): session_data = {} self.delete() self.create() - except IOError: + except (IOError, SuspiciousOperation): self.create() return session_data diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py index 8bcc505ee6..1a7286e77e 100644 --- a/django/contrib/sessions/tests.py +++ b/django/contrib/sessions/tests.py @@ -403,14 +403,21 @@ class FileSessionTests(SessionTestsMixin, unittest.TestCase): self.assertRaises(ImproperlyConfigured, self.backend) def test_invalid_key_backslash(self): - # Ensure we don't allow directory-traversal + # This key should be refused and a new session should be created + self.assertTrue(self.backend("a\\b\\c").load()) + + def test_invalid_key_backslash(self): + # Ensure we don't allow directory-traversal. + # This is tested directly on _key_to_file, as load() will swallow + # a SuspiciousOperation in the same way as an IOError - by creating + # a new session, making it unclear whether the slashes were detected. self.assertRaises(SuspiciousOperation, - self.backend("a\\b\\c").load) + self.backend()._key_to_file, "a\\b\\c") def test_invalid_key_forwardslash(self): # Ensure we don't allow directory-traversal self.assertRaises(SuspiciousOperation, - self.backend("a/b/c").load) + self.backend()._key_to_file, "a/b/c") @override_settings(SESSION_ENGINE="django.contrib.sessions.backends.file") def test_clearsessions_command(self):