Re: [Cgi-session-user] Re: Security issue about CGI::Session
Brought to you by:
sherzodr
Menu
▾
▴
Re: [Cgi-session-user] Re: Security issue about CGI::Session
|
From: Matt L. <mle...@cp...> - 2006-03-23 20:12:57
|
Mark, If we remove O_CREAT, we might as well remove O_EXCL because O_EXCL does nothing without O_CREAT. If we do that, then this entire exercise becomes sort of moot. To get down to what we need, let's consider a few things: 1) Do we want to create databases that don't exist or should we just error out in those particular cases? 2) If we don't create the database, should we really limit the user from using symlinks for the database file? My opinions on the matter are thus: 1) Error out. 2) No, we shouldn't. In my experience with DBD::SQLite, if a file exists and it is not recognized by DBD::SQLite as being a sqlite database, a valid database handle is not created. Also, I can think of several cases where one might want to have a symlink for a sqlite database. -Matt Mark Stosberg wrote: > On Thu, Mar 23, 2006 at 12:42:18PM -0600, Matt LeBlanc wrote: > >> Mark and Sherzod, shouldn't we create the session table if we create the >> database file? >> > > I just read what "O_CREAT" does. I think we should remove this flag. We > don't create the the database and table for any of the SQL drivers, so > why do it here? > > Mark > |
