quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dharana <dhar...@dharana.net>
Subject Re: [mod_python] Sessions performance and some numbers
Date Thu, 07 Apr 2005 19:02:10 GMT


Gregory (Grisha) Trubetskoy wrote:
> 
> With this implementation - is there still any advantage to usnig a DBM 
> at all?
> 
> I still think that security needs to be addressed slightly better - 
> perhaps explicitely setting permissions - perhaps putting sessions in a 
> subdirectory only readable, writable and executable by apache user would 
> make it a bit cleaner. The current mod_python DBMSession does not 
> explicitely set permissions which is a problem. (though inserting a bad 
> pickle into dbm is slightly harder than just just writing a file and 
> then calling a url that you know will cause mod_python to attempt to 
> unpickle it)
> 
> Also, I don't see any locking here, I think it's needed.

I used tempfile.gettempdir() in order to send you the patch because this 
was the style used by DbmSession. So what would be the correct thing to do?
- check that it's only readable/writable by the apache user
- check that the passed sid passes /^([a-f0-9]{32})$/


If you want me to I can make cPickler use protocol 2, add locking and 
those extra checks and send back the updated file. If someone more 
skilled than me prefers to do it just tell me.

-- 
Juan Alonso
http://gamersmafia.com | http://laflecha.net


Mime
View raw message