Commits

Robert Brewer committed ad808ea

2.1 fix for #744 (Malicious cookies may allow access to files outside the session directory).

Comments (0)

Files changed (1)

cherrypy/lib/filter/sessionfilter.py

         storagePath = cherrypy.config.get('sessionFilter.storagePath')
         fileName = self.SESSION_PREFIX + id
         filePath = os.path.join(storagePath, fileName)
+        if not os.path.normpath(filePath).startswith(storagePath):
+            raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
         return filePath
     
     def _lockFile(self, path):
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.