[CherryPy] #792: Invalid session id in cookie

[CherryPy]

#792: Invalid session id in cookie
---------------------------+------------------------------------------------
Reporter: ppchan | Owner: rdelon
Type: defect | Status: new
Priority: high | Milestone:
Component: CherryPy code | Keywords: sessions.py
---------------------------+------------------------------------------------
On Windows environment,
{{{
tools.sessions.storage_path = "c:/dev/sessions"
}}}
causes cp throw an HTTPError.
{{{
400 Bad Request
Invalid session id in cookie.
}}}
The cause is:
{{{
session.py
line 305: f = os.path.join(self.storage_path, self.SESSION_PREFIX +
self.id)
line 306: if not os.path.normpath(f).startswith(self.storage_path):
}}}
os.path.join uses 2 forward slashes '\\' to join the pathnames.
os.path.normpath(), however, uses backslash '/' as path separator. The
startswith on line 306 will never give True in this case.

--
Ticket URL: <http://www.cherrypy.org/ticket/792>
CherryPy <http://www.cherrypy.org>
CherryPy - a pythonic, object-oriented HTTP framework

[CherryPy]

#792: Invalid session id in cookie
---------------------------+------------------------------------------------
Reporter: ppchan | Owner: rdelon

Type: defect | Status: closed
Priority: normal | Milestone: 3.1
Component: CherryPy code | Resolution: fixed
Keywords: backport |
---------------------------+------------------------------------------------
Changes (by fumanchu):

* keywords: sessions.py => backport
* milestone: => 3.1
* priority: high => normal
* resolution: => fixed
* status: new => closed

Old description:

> On Windows environment,
> {{{
> tools.sessions.storage_path = "c:/dev/sessions"
> }}}
> causes cp throw an HTTPError.
> {{{
> 400 Bad Request
> Invalid session id in cookie.
> }}}
> The cause is:
> {{{
> session.py
> line 305: f = os.path.join(self.storage_path, self.SESSION_PREFIX +
> self.id)
> line 306: if not os.path.normpath(f).startswith(self.storage_path):
> }}}
> os.path.join uses 2 forward slashes '\\' to join the pathnames.
> os.path.normpath(), however, uses backslash '/' as path separator. The
> startswith on line 306 will never give True in this case.

New description:

On Windows environment,
{{{
tools.sessions.storage_path = "c:/dev/sessions"
}}}
causes cp throw an HTTPError.
{{{
400 Bad Request
Invalid session id in cookie.
}}}
The cause is:
{{{
session.py
line 305: f = os.path.join(self.storage_path, self.SESSION_PREFIX +
self.id)
line 306: if not os.path.normpath(f).startswith(self.storage_path):
}}}

os.path.join uses 2 backslashes '\\' to join the pathnames.
os.path.normpath(), however, uses forward slash '/' as path separator.

The startswith on line 306 will never give True in this case.

Comment:

os.path.join only uses 2 backslashes because you're on Windows; it's
platform-dependent. normpath does *not* use forward-slash; it is also
platform-dependent. The real problem is that self.storage_path is not
normpath'ed before comparing it to another normalized path:

{{{
#!python
>>> os.path.normpath("c:/dev/sessions")
'c:\\dev\\sessions'
}}}

Fixed in trunk in [1904] (abspath calls normpath). Until it's backported,
other versions should just enter Windows paths with the proper double-
backslashes as separators.