Check file sizes in session dir before validation

For pip installed instances of Whoogle, there seems to be an issue where
files other than sessions are being stored in the same directory as the
sessions. From a brief investigation, this does not seem to be caused by
Whoogle, since Flask-Session objects are the only files stored in that
directory. It could be an issue with the library that is being used for
sessions, however.

Regardless, the app shouldn't crash when trying to validate and remove
invalid sessions, so a file size limit of 4KB was imposed during
validation. Any file found in the session directory that exceeds this
size limit will be ignored.

Fixes #777
Fixes #793
main
Ben Busby 2022-06-16 11:50:13 -06:00
parent c9ee9dcc8b
commit cb5557cc2e
No known key found for this signature in database
GPG Key ID: B9B7231E01D924A1
2 changed files with 6 additions and 0 deletions

View File

@ -78,6 +78,7 @@ app.config['CONFIG_DISABLE'] = read_config_bool('WHOOGLE_CONFIG_DISABLE')
app.config['SESSION_FILE_DIR'] = os.path.join(
app.config['CONFIG_PATH'],
'session')
app.config['MAX_SESSION_SIZE'] = 4000 # Sessions won't exceed 4KB
app.config['BANG_PATH'] = os.getenv(
'CONFIG_VOLUME',
os.path.join(app.config['STATIC_FOLDER'], 'bangs'))

View File

@ -73,6 +73,11 @@ def session_required(f):
session_path = os.path.join(
app.config['SESSION_FILE_DIR'],
user_session)
# Ignore any files that are larger than the max session file size
if os.path.getsize(session_path) > app.config['MAX_SESSION_SIZE']:
continue
try:
with open(session_path, 'rb') as session_file:
_ = pickle.load(session_file)