Item873: expired cgi session files not deleted

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine LoginManager.pm Main.KennethLavrsen

Description of the problem

Although tick_foswiki.pl is run (e.g. through a cron job) no CGI session files are deleted.

Diagnosis

Looking at the method expireDeadSessions in LoginManager.pm
        my @stat = stat("$Foswiki::cfg{WorkingDir}/tmp/$file");
  
        my $lat = $stat[9] || $stat[10] || 0;
        unlink $file if ( $time - $lat >= $exp );

The problem is the unlink line. Here the path is missing!
        unlink "$Foswiki::cfg{WorkingDir}/tmp/$file" if ( $time - $lat >= $exp );
Since $file is untainted, I hope there's no problem with my solution, above.

This path is neccessary because the cgisession-files are (normally) not in the current directory. This is especially true, if you use the documented cron-job entry, cf. tick_foswiki.pl
# It is intended to be run as a cron job (remember it has to be run
# by a user who can write files created by the webserver user!)
# For example,
#
# 0 0 * * 0 cd /usr/foswiki/bin && perl ../tools/tick_foswiki.pl

-- ChristianLudwig - 26 Jan 2009

Confirmed.

I believe the fix you suggested is OK. I came to the exact same solution.

The $file is untainted and I am sure the $Foswiki::cfg{WorkingDir} is considered part of the code files and not tainted either.

This bug is so severe that I will put it on the known issues page.

-- KennethLavrsen - 26 Jan 2009

ItemTemplate edit

Summary expired cgi session files not deleted
ReportedBy ChristianLudwig
Codebase 1.0.0, trunk
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component LoginManager.pm
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins Foswikirev:2185
TargetRelease patch
ReleasedIn 1.0.1
Topic revision: r4 - 23 Feb 2009, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License