| Gregory (Grisha) Trubetskoy 2005-04-07, 5:58 pm |
|
On Thu, 7 Apr 2005, dharana wrote:
> I used tempfile.gettempdir() in order to send you the patch because this was
>the style used by DbmSession.
yeah, but with dbm it's just one file - here you're looking at a file per
session (if i read the code correctly).
> So what would be the correct thing to do?
> - check that it's only readable/writable by the apache user
yes, both on file creation and before reading it
> - check that the passed sid passes /^([a-f0-9]{32})$/
unless i'm missing something this would just be a waste of cpu cycles
> If you want me to I can make cPickler use protocol 2, add locking and those
> extra checks and send back the updated file.
I say go for it. For locking, look at the session code. Note that it uses
lock number 0 which is what you should use as well to avoid deadlock with
the session-specific locking.
Thanks!!!
Grisha
|