Item873: expired cgi session files not deleted

Priority:	CurrentState:	AppliesTo:	Component:	WaitingFor:
Urgent	Closed	Engine	LoginManager.pm	Main.KennethLavrsen

Description of the problem

Although tick_foswiki.pl is run (e.g. through a cron job) no CGI session files are deleted.

Diagnosis

Looking at the method expireDeadSessions in LoginManager.pm

        my @stat = stat("$Foswiki::cfg{WorkingDir}/tmp/$file");
  
        my $lat = $stat[9] || $stat[10] || 0;
        unlink $file if ( $time - $lat >= $exp );

The problem is the unlink line. Here the path is missing!

        unlink "$Foswiki::cfg{WorkingDir}/tmp/$file" if ( $time - $lat >= $exp );

Since $file is untainted, I hope there's no problem with my solution, above.

This path is neccessary because the cgisession-files are (normally) not in the current directory. This is especially true, if you use the documented cron-job entry, cf. tick_foswiki.pl

# It is intended to be run as a cron job (remember it has to be run
# by a user who can write files created by the webserver user!)
# For example,
#
# 0 0 * * 0 cd /usr/foswiki/bin && perl ../tools/tick_foswiki.pl

-- ChristianLudwig - 26 Jan 2009

Confirmed.

I believe the fix you suggested is OK. I came to the exact same solution.

The $file is untainted and I am sure the $Foswiki::cfg{WorkingDir} is considered part of the code files and not tainted either.

This bug is so severe that I will put it on the known issues page.

-- KennethLavrsen - 26 Jan 2009