Re: [Cgi-session-user] FW: Security issue about CGI::Session

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Sherzod,

Just to make this public for why I applied things the way I did, I 
decided not to include O_EXCL in sysopen for the file driver's store 
method specifically because the file is quite likely to already exist 
(ie the next time the person returns to your site). This is why the code 
now checks for symlinks prior to opening the file for writing and 
attempts to delete the file and returns an error if failing the 
deletion. If we wish to use O_EXCL on all sysopen calls, we can delete 
the file prior to writing. However, this is a suboptimal solution if we 
proceed with the flush-by-default in param strategy.

Now for the db_file driver. For storage, this one has the same deal. The 
database is created in a file and we would rather have it stay around so 
using the O_EXCL flag creates problems. We protect against symlinks by 
deleting the literal symlink and, failing deletion, returning an error. 
Using O_EXCL for the lockfile would be ok if we could guarantee that it 
never exists, which we cannot (since we want to wait on the lock and not 
fail on the open). Thus all of these cases are protected by symlink 
checks which was the reason to use O_EXCL in the first place. I 
temporarily excluded O_EXCL from retrieve in db_file in the last release 
to pass tests (a pretty stupid mistake slipped through for 4.08) but the 
symlink checks are still in effect for retrieve as well. The fix has 
been committed and the next release will have O_EXCL for retrieve.

On the subject of the sqlite driver, we have no control over the 
creation of the sqlite database used with the sqlite driver. Perhaps we 
should add a note to the driver's pod that due diligence should be taken 
when creating the sqlite database and setting the database file's 
permissions?

Thanks,
Matt LeBlanc

Sherzod Ruzmetov wrote:
>   
>> -----Original Message-----
>> From: Julien Danjou [mailto:ju...@da...] 
>> Sent: Monday, March 20, 2006 12:27 PM
>> To: Sherzod Ruzmetov
>> Subject: Security issue about CGI::Session
>>
>>
>> Hello,
>>
>> I just saw you released 4.09, fixing security holes.
>> However, it seems that at least the "file" driver is still 
>> vulnerable, since it does not use the O_EXCL flag. What do you think ?
>>
>> Do you plan to fix this and the sqlite holes ?
>>
>> Regards,
>> -- 
>> Julien Danjou
>> // <ju...@da...>     http://julien.danjou.info
>> // 9A0D 5FD9 EB42 22F6 8974  C95C A462 B51E C2FE E5CD
>> // I'm no superman.
>>
>>     