On Mon, 2008-08-18 at 16:56 -0700, Jade Rubick wrote:
> Consider this use case:
>       * You use git or another version control system to store for a
>         bunch of static html files you serve with Aolserver. 
>       * You check out all of your static html files. Because they're
>         all checked out at the same time, many of them have identical
>         timestamps.
> Could the user get the wrong version of an html file they're being
> served?

No, because each file has a different inode. The "bug" requires that you
create and destroy one file and create another one within one second (so
they have the same timestamp) also required that the same inode is used
and that the file is the same exact size. 

But beyond that, hopefully your git checkout will maintain the original
timestamp with the file.

> What about this scenario:
>       * You have a web application that allows administrators on
>         various sites hosted on your application to download a list of
>         user names and passwords (this is a slightly contrived
>         example). They can download it to CSV.
>       * Admin #1 generates this file. You create a unique filename for
>         their site_id, because you want a unique filename to return
>         back to the user: site-1234-passwords.csv. You return this
>         file to the admin.
>       * Admin #2 generates their file. You create a unique filename
>         for their site_id, because you want a unique filename to
>         return back to the user: site-5000-passwords.csv. You attempt
>         to return this file to the admin. Because their request was in
>         the same second, however, they get site-1234-passwords.csv?
> Do I understand the problem correctly? I think both of these scenarios
> are pretty common examples of the way people use Aolserver currently,
> but I'm not sure if I'm understanding correctly the bug.

The filename doesn't matter, neither does the source of the information.
Two different requests could create files. The requirement is that the
first is created and destroyed and the second is created within the same
second as the first, reuses the inode, has the exact same size. 

This is why you should not use linked files (with path names) as
temporary storage. Instead, open the file then unlink it (delete it from
the filesystem), then use it via the fd.

In short: there is no bug.

tom jackson

AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> 
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: 
field of your email blank.

Reply via email to