Ticket #840 (defect)
Opened 1 month ago
Last modified 1 month ago
File-based sessions storage path is not stored as an absolute path
Status: closed (fixed)
| Reported by: | guest | Assigned to: | no_mind |
|---|---|---|---|
| Priority: | highest | Milestone: | 3.1 |
| Component: | sessions | Keywords: | sessions absolute path cookie |
| Cc: |
Suppose you have this session config:
[/] tools.sessions.on = True tools.sessions.timeout = 120 tools.sessions.storage_type = "file" tools.sessions.storage_path = "acapela/sessions"
lib.sessions.py.FileSession.setup() tries to turn the relative storage_path into an absolute path before storing, but somehow the _get_file_path() method still raises the HTTPError:
if not os.path.abspath(f).startswith(self.storage_path):
raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
I have determined that when this executes, self.storage_path is still "acapela/sessions".
This used to work in CherryPy 3.1.0beta3.
Change History
07/16/08 13:58:53: Modified by fumanchu
- status changed from new to closed.
- resolution set to fixed.
Fixed in [2021]. The temporary workaround is to make tools.sessions.storage_path an absolute path.