[mod_python] Oops, found a small bug in the session code

Dan Eloff dan.eloff at gmail.com
Wed Jun 15 19:29:33 EDT 2005

Just discovered this.

# XXX Not sure why, but on Win32 hlist.directory
# may contain a trailing \ - need to investigate,
# this value is given to us directly by httpd
if os.name == 'nt' and c.path[-1] == '\\':
    c.path = c.path[:-1]
# Sometimes there is no path, e.g. when Location
# is used. When Alias or UserDir are used, then
# the path wouldn't match the URI. In those cases
# just default to '/'
if not c.path or not self._req.uri.startswith(c.path):
    c.path = '/'

In the first if statement, c.path[-1] will throw IndexError if c.path
is empty (which is possible if you read the next comment). You should
change it to:

if os.name == 'nt' and (c.path and c.path[-1] == '\\'):
    c.path = c.path[:-1]

The chance of collisions for the md5 algo is very low, comparable to
the chance of that asteroid landing on your house, but if you're
worried you could always create two hashes, and md5, and a sha maybe
and concatenate them to form the sid. But to be honest the possibility
that someone intercepts your sid and takes advantage of that is higher
than a collision. If people need real security they will doubtless
make their own subclass and use ssl.


More information about the Mod_python mailing list