Robert Brewer committed ad808ea

2.1 fix for #744 (Malicious cookies may allow access to files outside the session directory).

  • Participants
  • Parent commits beb6ac5
  • Branches cherrypy-2.1

Comments (0)

Files changed (1)

File cherrypy/lib/filter/

         storagePath = cherrypy.config.get('sessionFilter.storagePath')
         fileName = self.SESSION_PREFIX + id
         filePath = os.path.join(storagePath, fileName)
+        if not os.path.normpath(filePath).startswith(storagePath):
+            raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
         return filePath
     def _lockFile(self, path):