1 files changed, 21 insertions, 10 deletions

diff --git a/lib/cgi/session.rb b/lib/cgi/session.rb
index 48f3496939..9187dbf82d 100644
--- a/lib/cgi/session.rb
+++ b/lib/cgi/session.rb
@@ -1,3 +1,4 @@
+# Copyright (C) 2001  Yukihiro "Matz" Matsumoto
 # Copyright (C) 2000  Network Applied Communication Laboratory, Inc.
 # Copyright (C) 2000  Information-technology Promotion Agency, Japan
 
@@ -15,23 +16,22 @@ class CGI
       }
     end
 
-    def create_new_id
+    def Session::create_new_id
       require 'md5'
       md5 = MD5::new
       md5.update(String(Time::now))
       md5.update(String(rand(0)))
       md5.update(String($$))
       md5.update('foobar')
-      @session_id = md5.hexdigest[0,16]
+      md5.hexdigest[0,16]
     end
-    private :create_new_id
 
     def initialize(request, option={})
       session_key = option['session_key'] || '_session_id'
       id, = option['session_id']
       unless id
 	if option['new_session']
-	  id = create_new_id
+	  id = Session::create_new_id
 	end
       end
       unless id
@@ -43,7 +43,7 @@ class CGI
 	  if option.key?('new_session') and not option['new_session']
 	    raise ArgumentError, "session_key `%s' should be supplied"%session_key
 	  end
-	  id = create_new_id
+	  id = Session::create_new_id
 	end
       end
       @session_id = id
@@ -54,7 +54,9 @@ class CGI
 	@output_cookies =  [
           Cookie::new("name" => session_key,
 		      "value" => id,
-		      "path" => if ENV["SCRIPT_NAME"] then
+		      "path" => if option['session_path'] then
+				  option['session_path']
+		                elsif ENV["SCRIPT_NAME"] then
 				  File::dirname(ENV["SCRIPT_NAME"])
 				else
 				  ""
@@ -94,10 +96,18 @@ class CGI
     end
 
     class FileStore
+      def check_id(id)
+	/[^0-9a-zA-Z]/ =~ id.to_s ? false : true
+      end
+
       def initialize(session, option={})
 	dir = option['tmpdir'] || ENV['TMP'] || '/tmp'
 	prefix = option['prefix'] || ''
-	path = dir+"/"+prefix+session.session_id
+	id = session.session_id
+	unless check_id(id)
+	  raise ArgumentError, "session_id `%s' is invalid" % id
+	end
+	path = dir+"/"+prefix+id
 	path.untaint
 	unless File::exist? path
 	  @hash = {}
@@ -132,6 +142,7 @@ class CGI
       end
 
       def close
+	return if @f.closed?
 	update
 	@f.close
       end
@@ -146,9 +157,9 @@ class CGI
     class MemoryStore
       GLOBAL_HASH_TABLE = {}
 
-      def initialize(session, option={})
+      def initialize(session, option=nil)
 	@session_id = session.session_id
-	GLOBAL_HASH_TABLE[@session_id] = {}
+	GLOBAL_HASH_TABLE[@session_id] ||= {}
       end
 
       def restore
@@ -164,7 +175,7 @@ class CGI
       end
 
       def delete
-	GLOBAL_HASH_TABLE[@session_id] = nil
+	GLOBAL_HASH_TABLE.delete(@session_id)
       end
     end
   end