Re: [Cgi-session-user] Re: Security issue about CGI::Session
Brought to you by:
sherzodr
Menu
▾
▴
Re: [Cgi-session-user] Re: Security issue about CGI::Session
|
From: Mark S. <ma...@su...> - 2006-03-23 21:04:39
|
Comments below. > Mark Stosberg wrote: > >On Thu, Mar 23, 2006 at 12:42:18PM -0600, Matt LeBlanc wrote: > > > >>Mark and Sherzod, shouldn't we create the session table if we create the > >>database file? > >> > > > >I just read what "O_CREAT" does. I think we should remove this flag. We > >don't create the the database and table for any of the SQL drivers, so > >why do it here? On Thu, Mar 23, 2006 at 02:10:56PM -0600, Matt LeBlanc wrote: > Mark, > > If we remove O_CREAT, we might as well remove O_EXCL because O_EXCL does > nothing without O_CREAT. If we do that, then this entire exercise > becomes sort of moot. > > To get down to what we need, let's consider a few things: > > 1) Do we want to create databases that don't exist or should we just > error out in those particular cases? > 2) If we don't create the database, should we really limit the user from > using symlinks for the database file? > > My opinions on the matter are thus: > 1) Error out. > 2) No, we shouldn't. In my experience with DBD::SQLite, if a file exists > and it is not recognized by DBD::SQLite as being a sqlite database, a > valid database handle is not created. Also, I can think of several cases > where one might want to have a symlink for a sqlite database. I agree with you Matt. Your suggestions are consistent with how we treat other database backends, which is that the creation of the database and the session table is /not/ handled by CGI::Session. I think we've had some confusion because each of understood some part of the issue, but I don't think we've all been clear about it until now! Mark |
