[Cgi-session-user] Re: Security issue about CGI::Session
Brought to you by:
sherzodr
Menu
▾
▴
[Cgi-session-user] Re: Security issue about CGI::Session
|
From: Julien D. <ju...@da...> - 2006-03-23 19:02:48
|
On Thu, Mar 23, 2006 at 12:42:18PM -0600, Matt LeBlanc wrote:
Hello Matt,
> Thanks for the patch. I have two questions, though.
>=20
> 1) Wouldn't this attempt to create a file of the form=20
> "dbi:SQLite:dbname=3Dfile_we_should_be_checking"
Oops, after re-reading, I did not see that DataSource was overwritten.
The sysopen() should be juste before the unless block {}, 2 lines above,
I guess.
> 2) Shouldn't you be checking the return of sysopen?
Probably ; this patch is not probably totally usable, that's mainly a
proof of concept. :-)
> Anyway, I've committed a patch to pull the filename back out of the dsn,=
=20
> check for a symlink, and create the file if it doesn't exist.
Seems perfect.
Thanks,
Cheers,
--=20
Julien Danjou
// <ju...@da...> http://julien.danjou.info
// 9A0D 5FD9 EB42 22F6 8974 C95C A462 B51E C2FE E5CD
// Tomorrow I was nothing, yesterday I'll be.
|
