[Cgi-session-user] Re: Security issue about CGI::Session

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Julien,

Thanks for the patch. I have two questions, though.

1) Wouldn't this attempt to create a file of the form 
"dbi:SQLite:dbname=file_we_should_be_checking"
2) Shouldn't you be checking the return of sysopen?

Anyway, I've committed a patch to pull the filename back out of the dsn, 
check for a symlink, and create the file if it doesn't exist.

Mark and Sherzod, shouldn't we create the session table if we create the 
database file?

Thanks,
Matt LeBlanc

Julien Danjou wrote:
> Please, could you test the patch attached ?
> It is pretty small and I think you'll understand the underlaying
> concept. :-)
>
> If it does not work, I'll try to fix it another way. So if you could
> send me a little program to test it, I would not have to annoy you to
> test another patch.
>
> Regards,
>   
> ------------------------------------------------------------------------
>
> diff -ru CGI-Session-4.09/lib/CGI/Session/Driver/sqlite.pm libcgi-session-perl-4.09/lib/CGI/Session/Driver/sqlite.pm
> --- CGI-Session-4.09/lib/CGI/Session/Driver/sqlite.pm	2006-03-17 06:03:45.000000000 +0100
> +++ libcgi-session-perl-4.09/lib/CGI/Session/Driver/sqlite.pm	2006-03-23 10:16:33.000000000 +0100
> @@ -10,15 +10,18 @@
>  
>  # @CGI::Session::Driver::sqlite::ISA        = qw( CGI::Session::Driver::DBI );
>  $CGI::Session::Driver::sqlite::VERSION    = "1.4";
> +$CGI::Session::Driver::sqlite::UMask       = 0660;
>  
>  sub init {
>      my $self = shift;
>  
> +    $self->{UMask} = $CGI::Session::Driver::db_file::UMask unless exists $self->{UMask};
>      $self->{DataSource} ||= File::Spec->catfile( File::Spec->tmpdir, 'sessions.sqlt' );
>      unless ( $self->{DataSource} =~ /^dbi:sqlite/i ) {
>          $self->{DataSource} = "dbi:SQLite:dbname=" . $self->{DataSource};
>      }
>  
> +    sysopen(DATASOURCE, $self->{DataSource}, O_RDWR|O_CREAT|O_EXCL, $self->{UMask}) unless $self->{Handle};
>      $self->{Handle} ||= DBI->connect( $self->{DataSource}, '', '', {RaiseError=>1, PrintError=>1, AutoCommit=>1});
>      unless ( $self->{Handle} ) {
>          return $self->set_error( "init(): couldn't create \$dbh: " . $DBI::errstr );
>   