Summary
get_session() currently constructs TempSession(session_id) to check existence. Because TempSession.__init__() always creates the directory, any arbitrary session_id becomes a real session directory during lookup.
Impact
- Missing sessions return the wrong error path instead of a clean not-found result
- Requests with random IDs keep creating empty directories under
/tmp/vmarker
- Path-like IDs such as
../../../etc should be rejected instead of participating in path resolution
Proposed fix
- Separate creating a new temp session from opening an existing one
- Validate
session_id before using it in filesystem paths
- Add regression coverage for missing sessions and path traversal style inputs
Notes
A fix branch already exists in my fork: luojiyin1987:fix/session-id-validation.
Summary
get_session()currently constructsTempSession(session_id)to check existence. BecauseTempSession.__init__()always creates the directory, any arbitrarysession_idbecomes a real session directory during lookup.Impact
/tmp/vmarker../../../etcshould be rejected instead of participating in path resolutionProposed fix
session_idbefore using it in filesystem pathsNotes
A fix branch already exists in my fork:
luojiyin1987:fix/session-id-validation.