Re: [Cgi-session-user] Re: Security issue about CGI::Session
Brought to you by:
sherzodr
Menu
▾
▴
Re: [Cgi-session-user] Re: Security issue about CGI::Session
|
From: Julien D. <ju...@da...> - 2006-03-23 21:20:43
|
On Thu, Mar 23, 2006 at 04:04:28PM -0500, Mark Stosberg wrote:
> > 2) No, we shouldn't. In my experience with DBD::SQLite, if a file exist=
s=20
> > and it is not recognized by DBD::SQLite as being a sqlite database, a=
=20
> > valid database handle is not created.
I did not know that, so my way of fixing the problem is totally wrong,
in this way. If having an empty file confuses DBI, that's the not good
path to follow.
Another way to fix this, also suggested by Joey, would be to create a
directory under $TmpDir (if no full path is given) owned by the user.
The idea is the following (this not real Perl code):
! -d /tmp/sqlite-$user && mkdir /tmp/sqlite-$user
if(-d /tmp/sqlite-$user)
{
checkOwnerOfThisDirectory() or die "Directory owned by someone else?"
chmod 0700 /tmp/sqlite-$user or die "Unable to chmod, directory owned
by someone else?";
DataSource =3D /tmp/sqlite-$user/sqlite.db;
}
Just keep in mind that you don't want to write directly to /tmp as
someone could have created another sqlite database here.
There could be other and best way to fix it, but I don't have any other
in mind for now.
Cheers,
--=20
Julien Danjou
// <ju...@da...> http://julien.danjou.info
// 9A0D 5FD9 EB42 22F6 8974 C95C A462 B51E C2FE E5CD
// Ferns will rule the world.
|
