--- cherrypy/filters/sessionfilter.py	2006-04-25 04:37:45.000000000 +0300
+++ cherrypy/filters/sessionfilter.py	2008-01-08 23:01:09.000000000 +0200
@@ -326,6 +326,8 @@
             raise SessionStoragePathNotConfiguredError()
         fileName = self.SESSION_PREFIX + id
         file_path = os.path.join(storage_path, fileName)
+        if not os.path.normpath(file_path).startswith(storage_path):
+            raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
         return file_path
     
     def _lock_file(self, path):
--- cherrypy/test/test_session_filter.py	2006-04-25 04:37:40.000000000 +0300
+++ cherrypy/test/test_session_filter.py	2008-01-08 23:00:39.000000000 +0200
@@ -28,7 +28,7 @@
             'server.environment': 'production',
             'session_filter.on': True,
             'session_filter.storage_type' : 'file',
-            'session_filter.storage_path' : '.',
+            'session_filter.storage_path' : os.path.abspath('.'),
     })
 
 import helper