cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item873 (23 Feb 2009, KennethLavrsen)Edit Attach

Item873: expired cgi session files not deleted

pencil
Priority: Urgent
Current State: Closed
Released In: 1.0.1
Target Release: patch
Applies To: Engine
Component: LoginManager.pm
Branches:
Reported By: ChristianLudwig
Waiting For: Main.KennethLavrsen
Last Change By: KennethLavrsen

Description of the problem

Although tick_foswiki.pl is run (e.g. through a cron job) no CGI session files are deleted.

Diagnosis

Looking at the method expireDeadSessions in LoginManager.pm
        my @stat = stat("$Foswiki::cfg{WorkingDir}/tmp/$file");
  
        my $lat = $stat[9] || $stat[10] || 0;
        unlink $file if ( $time - $lat >= $exp );

The problem is the unlink line. Here the path is missing!
        unlink "$Foswiki::cfg{WorkingDir}/tmp/$file" if ( $time - $lat >= $exp );
Since $file is untainted, I hope there's no problem with my solution, above.

This path is neccessary because the cgisession-files are (normally) not in the current directory. This is especially true, if you use the documented cron-job entry, cf. tick_foswiki.pl
# It is intended to be run as a cron job (remember it has to be run
# by a user who can write files created by the webserver user!)
# For example,
#
# 0 0 * * 0 cd /usr/foswiki/bin && perl ../tools/tick_foswiki.pl

-- ChristianLudwig - 26 Jan 2009

Confirmed.

I believe the fix you suggested is OK. I came to the exact same solution.

The $file is untainted and I am sure the $Foswiki::cfg{WorkingDir} is considered part of the code files and not tainted either.

This bug is so severe that I will put it on the known issues page.

-- KennethLavrsen - 26 Jan 2009

ItemTemplate edit

Summary expired cgi session files not deleted
ReportedBy ChristianLudwig
Codebase 1.0.0, trunk
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component LoginManager.pm
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins distro:690859996e36
TargetRelease patch
ReleasedIn 1.0.1
Topic revision: r4 - 23 Feb 2009, KennethLavrsen - This page was cached on 23 Mar 2018 - 00:48.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License