Check file sizes in session dir before validation

For pip installed instances of Whoogle, there seems to be an issue where files other than sessions are being stored in the same directory as the sessions. From a brief investigation, this does not seem to be caused by Whoogle, since Flask-Session objects are the only files stored in that directory. It could be an issue with the library that is being used for sessions, however. Regardless, the app shouldn't crash when trying to validate and remove invalid sessions, so a file size limit of 4KB was imposed during validation. Any file found in the session directory that exceeds this size limit will be ignored. Fixes #777 Fixes #793
2022-06-16 11:50:13 -06:00 · 2022-06-16 11:50:13 -06:00 · cb5557cc2e
commit cb5557cc2e
parent c9ee9dcc8b
2 changed files with 6 additions and 0 deletions
--- a/app/init.py
+++ b/app/init.py
@ -78,6 +78,7 @@ app.config['CONFIG_DISABLE'] = read_config_bool('WHOOGLE_CONFIG_DISABLE')
 app.config['SESSION_FILE_DIR'] = os.path.join(
    app.config['CONFIG_PATH'],
    'session')
+app.config['MAX_SESSION_SIZE'] = 4000  # Sessions won't exceed 4KB
 app.config['BANG_PATH'] = os.getenv(
    'CONFIG_VOLUME',
    os.path.join(app.config['STATIC_FOLDER'], 'bangs'))
--- a/app/routes.py
+++ b/app/routes.py
@ -73,6 +73,11 @@ def session_required(f):
            session_path = os.path.join(
                app.config['SESSION_FILE_DIR'],
                user_session)
+
+            # Ignore any files that are larger than the max session file size
+            if os.path.getsize(session_path) > app.config['MAX_SESSION_SIZE']:
+                continue
+
            try:
                with open(session_path, 'rb') as session_file:
                    _ = pickle.load(session_file)