From cb5557cc2ef8f2c70121f1993c39dab47192a952 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Thu, 16 Jun 2022 11:50:13 -0600 Subject: [PATCH] Check file sizes in session dir before validation For pip installed instances of Whoogle, there seems to be an issue where files other than sessions are being stored in the same directory as the sessions. From a brief investigation, this does not seem to be caused by Whoogle, since Flask-Session objects are the only files stored in that directory. It could be an issue with the library that is being used for sessions, however. Regardless, the app shouldn't crash when trying to validate and remove invalid sessions, so a file size limit of 4KB was imposed during validation. Any file found in the session directory that exceeds this size limit will be ignored. Fixes #777 Fixes #793 --- app/__init__.py | 1 + app/routes.py | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/app/__init__.py b/app/__init__.py index a69fb8a..fefa1d9 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -78,6 +78,7 @@ app.config['CONFIG_DISABLE'] = read_config_bool('WHOOGLE_CONFIG_DISABLE') app.config['SESSION_FILE_DIR'] = os.path.join( app.config['CONFIG_PATH'], 'session') +app.config['MAX_SESSION_SIZE'] = 4000 # Sessions won't exceed 4KB app.config['BANG_PATH'] = os.getenv( 'CONFIG_VOLUME', os.path.join(app.config['STATIC_FOLDER'], 'bangs')) diff --git a/app/routes.py b/app/routes.py index 4d4e116..1f58a7d 100644 --- a/app/routes.py +++ b/app/routes.py @@ -73,6 +73,11 @@ def session_required(f): session_path = os.path.join( app.config['SESSION_FILE_DIR'], user_session) + + # Ignore any files that are larger than the max session file size + if os.path.getsize(session_path) > app.config['MAX_SESSION_SIZE']: + continue + try: with open(session_path, 'rb') as session_file: _ = pickle.load(session_file)