Re: [Cgi-session-user] Re: Security issue about CGI::Session
Brought to you by:
sherzodr
Menu
▾
▴
Re: [Cgi-session-user] Re: Security issue about CGI::Session
|
From: Matt L. <mle...@cp...> - 2006-03-23 21:40:26
|
My current opinion on the matter is that we do away with a default
location for the sqlite database file. Neither the mysql nor postgresql
drivers have this behavior and providing a default location just
encourages an unsafe practice.
-Matt
Julien Danjou wrote:
> I did not know that, so my way of fixing the problem is totally wrong,
> in this way. If having an empty file confuses DBI, that's the not good
> path to follow.
>
> Another way to fix this, also suggested by Joey, would be to create a
> directory under $TmpDir (if no full path is given) owned by the user.
>
> The idea is the following (this not real Perl code):
>
> ! -d /tmp/sqlite-$user && mkdir /tmp/sqlite-$user
> if(-d /tmp/sqlite-$user)
> {
> checkOwnerOfThisDirectory() or die "Directory owned by someone else?"
> chmod 0700 /tmp/sqlite-$user or die "Unable to chmod, directory owned
> by someone else?";
> DataSource = /tmp/sqlite-$user/sqlite.db;
> }
>
> Just keep in mind that you don't want to write directly to /tmp as
> someone could have created another sqlite database here.
>
> There could be other and best way to fix it, but I don't have any other
> in mind for now.
>
> Cheers,
>
|
