SECURITY:

Andres Salomon noticed a problem in the CGI session management of Ruby. CGI::Session's FileStore implementations store session information insecurely. They simply create files, ignoring permission issues. The added patch fixes this issue. ok pvalchev@
2004-08-17 16:03:10 +00:00 · 2004-08-17 16:03:10 +00:00 · 19bf64c2d4
commit 19bf64c2d4
parent cd93ac7b32
1 changed files with 12 additions and 0 deletions
--- a/lang/ruby/patches/patch-lib_cgi_session_rb
+++ b/lang/ruby/patches/patch-lib_cgi_session_rb
@ -0,0 +1,12 @@
+$OpenBSD: patch-lib_cgi_session_rb,v 1.1 2004/08/17 16:03:10 robert Exp $
+--- lib/cgi/session.rb.orig	Tue Aug 17 02:31:13 2004
+++ lib/cgi/session.rb	Tue Aug 17 02:34:18 2004
+@@ -372,7 +372,7 @@
+ 	begin
+ 	  @f = open(path, "r+")
+ 	rescue Errno::ENOENT
+-	  @f = open(path, "w+")
+	  @f = File.open(path, File::CREAT|File::RDWR, 0600)
+ 	end
+       end
+