On Wed, 2008-08-20 at 12:23 -0700, Eric Larkin wrote: > On 8/20/08 11:29 AM, "John Caruso" <[EMAIL PROTECTED]> wrote: > > Whether or not that's so, the fact is that everyone on this list appeared > > to share the same utterly natural assumption that "ns_returnfile X" really > > will return file X > > All, I've been on vacation or I would have chimed in earlier, but as John's > client and CTO of the company who found the problem (and is now faced with a > fairly extensive and difficult impact assessment to determine whether the > confidentiality and integrity of our customers' data has been compromised), > I find the suggestion that this is not a bug to be utterly baffling.
Eric, I'm not sure what your qualifications are to determine if it is a bug or not. The author of the code doesn't seem to think it is a bug. Everyone agrees that the code works as intended. It was no secret at the time the code was written that the file mtime granularity is one second. When fastpath was added many years ago, it was documented in the changelogs. There are configuration parameters in the config file. I just sent an email responding to John's suggested patch. It is a great suggestion for several reasons, the most important is that it doesn't change the intended purpose of the cache or the API. As John said there is no visible impact on the user. I would even go so far as to suggest that the wait time (2 sec) be added as a configuration parameter. Although the semantics should be discussed. This patch may fix your initial problem, but it does nothing to fix the broken use of ns_returnfile. If you are serious about not exposing sensitive information, don't write it to disk as a file. Most security breaches don't happen by accident. I have outlined how you can avoid the problem using ns_returnfp, _AND_ a particular series of commands. No single API will serve as some kind of shield of protection, it takes a lot of effort. Anything involving files opens up a whole series of problems. They are not bugs. tom jackson -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
