Critical severityNVD Advisory· Published Feb 14, 2011· Updated Apr 29, 2026
CVE-2011-0698
CVE-2011-0698
Description
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.1, < 1.1.4 | 1.1.4 |
DjangoPyPI | >= 1.2, < 1.2.5 | 1.2.5 |
Affected products
9cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*
Patches
2570a32a047ea[1.1.X] Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
2 files changed · +15 −2
django/contrib/sessions/backends/file.py+4 −2 modified@@ -26,6 +26,8 @@ def __init__(self, session_key=None): self.file_prefix = settings.SESSION_COOKIE_NAME super(SessionStore, self).__init__(session_key) + VALID_KEY_CHARS = set("abcdef0123456789") + def _key_to_file(self, session_key=None): """ Get the file associated with this session key. @@ -36,9 +38,9 @@ def _key_to_file(self, session_key=None): # Make sure we're not vulnerable to directory traversal. Session keys # should always be md5s, so they should never contain directory # components. - if os.path.sep in session_key: + if not set(session_key).issubset(self.VALID_KEY_CHARS): raise SuspiciousOperation( - "Invalid characters (directory components) in session key") + "Invalid characters in session key") return os.path.join(self.storage_path, self.file_prefix + session_key)
django/contrib/sessions/tests.py+11 −0 modified@@ -129,6 +129,17 @@ >>> file_session = FileSession(file_session.session_key) >>> file_session.save() +# Ensure we don't allow directory traversal +>>> FileSession("a/b/c").load() +Traceback (innermost last): + ... +SuspiciousOperation: Invalid characters in session key + +>>> FileSession("a\\b\\c").load() +Traceback (innermost last): + ... +SuspiciousOperation: Invalid characters in session key + # Make sure the file backend checks for a good storage dir >>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer" >>> FileSession()
194566480b15[1.2.X] Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
2 files changed · +15 −2
django/contrib/sessions/backends/file.py+4 −2 modified@@ -26,6 +26,8 @@ def __init__(self, session_key=None): self.file_prefix = settings.SESSION_COOKIE_NAME super(SessionStore, self).__init__(session_key) + VALID_KEY_CHARS = set("abcdef0123456789") + def _key_to_file(self, session_key=None): """ Get the file associated with this session key. @@ -36,9 +38,9 @@ def _key_to_file(self, session_key=None): # Make sure we're not vulnerable to directory traversal. Session keys # should always be md5s, so they should never contain directory # components. - if os.path.sep in session_key: + if not set(session_key).issubset(self.VALID_KEY_CHARS): raise SuspiciousOperation( - "Invalid characters (directory components) in session key") + "Invalid characters in session key") return os.path.join(self.storage_path, self.file_prefix + session_key)
django/contrib/sessions/tests.py+11 −0 modified@@ -129,6 +129,17 @@ >>> file_session = FileSession(file_session.session_key) >>> file_session.save() +# Ensure we don't allow directory traversal +>>> FileSession("a/b/c").load() +Traceback (innermost last): + ... +SuspiciousOperation: Invalid characters in session key + +>>> FileSession("a\\b\\c").load() +Traceback (innermost last): + ... +SuspiciousOperation: Invalid characters in session key + # Make sure the file backend checks for a good storage dir >>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer" >>> FileSession()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- openwall.com/lists/oss-security/2011/02/09/6nvdPatchWEB
- www.djangoproject.com/weblog/2011/feb/08/security/nvdPatchVendor Advisory
- github.com/advisories/GHSA-7g9h-c88w-r7h2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-0698ghsaADVISORY
- www.djangoproject.com/weblog/2011/feb/08/securityghsaWEB
- www.mandriva.com/security/advisoriesnvdWEB
- github.com/django/django/commit/194566480b15cf4e294d3f03ff587019b74044b2ghsaWEB
- github.com/django/django/commit/570a32a047ea56265646217264b0d3dab1a14dbdghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-12.yamlghsaWEB
- web.archive.org/web/20110521033259/http://secunia.com/advisories/43230ghsaWEB
- web.archive.org/web/20130616104703/http://www.securityfocus.com/bid/46296ghsaWEB
- secunia.com/advisories/43230nvd
- www.securityfocus.com/bid/46296nvd
- www.vupen.com/english/advisories/2011/0372nvd
- www.vupen.com/english/advisories/2011/0439nvd
News mentions
0No linked articles in our index yet.