$OpenBSD: patch-django_contrib_sessions_backends_file_py,v 1.1 2011/02/11 11:45:48 jasper Exp $

Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/

Patch from upstream svn -r15468.

--- django/contrib/sessions/backends/file.py.orig	Mon Sep  1 13:25:16 2008
+++ django/contrib/sessions/backends/file.py	Thu Feb 10 09:59:08 2011
@@ -25,6 +25,8 @@ class SessionStore(SessionBase):
 
         self.file_prefix = settings.SESSION_COOKIE_NAME
         super(SessionStore, self).__init__(session_key)
+        
+    VALID_KEY_CHARS = set("abcdef0123456789") 
 
     def _key_to_file(self, session_key=None):
         """
@@ -36,9 +38,9 @@ class SessionStore(SessionBase):
         # Make sure we're not vulnerable to directory traversal. Session keys
         # should always be md5s, so they should never contain directory
         # components.
-        if os.path.sep in session_key:
+        if not set(session_key).issubset(self.VALID_KEY_CHARS):
             raise SuspiciousOperation(
-                "Invalid characters (directory components) in session key")
+                "Invalid characters in session key")
 
         return os.path.join(self.storage_path, self.file_prefix + session_key)
 
