diff --git a/beaker/session.py b/beaker/session.py index e14a6bb1..e9b9b4b0 100644 --- a/beaker/session.py +++ b/beaker/session.py @@ -2,6 +2,7 @@ import os from datetime import datetime, timedelta import time +from re import match from beaker.crypto import hmac as HMAC, hmac_sha1 as SHA1, sha1 from beaker import crypto, util from beaker.cache import clsmap @@ -153,6 +154,9 @@ def __init__(self, request, id=None, invalidate_corrupt=False, if not self.id and self.key in self.cookie: self.id = self.cookie[self.key].value + if self.id and not match("^[0-9a-zA-Z-_]+\Z", self.id): + self.id = None + self.is_new = self.id is None if self.is_new: self._create_id() diff --git a/tests/test_cookie_traversal.py b/tests/test_cookie_traversal.py new file mode 100644 index 00000000..565c2099 --- /dev/null +++ b/tests/test_cookie_traversal.py @@ -0,0 +1,42 @@ +# -*- coding: utf-8 -*- +import sys +import time +import warnings +import os + +from beaker.session import Session + + +def get_session(**kwargs): + """A shortcut for creating :class:`Session` instance""" + options = {} + options.update(**kwargs) + return Session({}, **options) + +def test_file_traversal_cookie(): + session = get_session(id='..traversed', type='file', data_dir='.') + session[u'traversal'] = u'True' + session.save() + assert not os.path.exists('./..traversed.cache') + + +def test_save_load(): + """Test if the data is actually persistent across requests""" + session = get_session(type='file', data_dir='.') + session[u'Suomi'] = u'Kimi Räikkönen' + session[u'Great Britain'] = u'Jenson Button' + session[u'Deutchland'] = u'Sebastian Vettel' + session.save() + + session = get_session(id=session.id, type='file', data_dir='.') + assert u'Suomi' in session + assert u'Great Britain' in session + assert u'Deutchland' in session + + assert session[u'Suomi'] == u'Kimi Räikkönen' + assert session[u'Great Britain'] == u'Jenson Button' + assert session[u'Deutchland'] == u'Sebastian Vettel' + +test_save_load() +test_file_traversal_cookie() +