John,
It is not a bug in ns_returnfile.
tom jackson
On Tue, 2008-08-19 at 11:52 -0700, John Caruso wrote:
> On Tuesday 10:40 AM 8/19/2008, Jim Davidson wrote:
> >I would suggest
> >the code snippet of create temp file and use fastpath to return
> >contents is not a use case I was solving for or recommend.
>
> It's also not the use case in question--just a simple illustration of the
> problem. Here's a more realistic template of a use case (which closely
> mirrors the actual code that led to the discovery of the bug):
>
> eval exec /some/external/program --output-file $tempfile
> ns_returnfile 200 text/plain $tempfile
> ns_unlink -nocomplain $tempfile
>
> In other words, run an external program that writes its output to
> $tempfile, return that file to the user, and delete the file. This is a
> case in which ns_returnfile seems like the obvious and appropriate
> call--but if this procedure is run on behalf of users A and B within the
> same second (which is common on an active web server), and the results in
> $tempfile are the same length, B will get A's output. Depending on what
> information the external program writes to $tempfile, this could easily
> represent a security breach.
>
> That example involves timing between two different users, but something
> like the following will also trigger the bug:
>
> foreach user $users {
> eval exec /some/external/program --output-file $tempfile --user
> $user
> ns_returnfile 200 text/plain $tempfile
> }
>
> Again, this code looks perfectly appropriate, but it's very likely to
> return incorrect data due to this bug. Note that the ns_unlink isn't even
> required in this case.
>
> Also, regarding "use fastpath to return content": the developer in this
> case didn't know fastpath from a hole in the ground--after all, they were
> calling ns_returnfile, not fastpath. fastpath is just the
> behind-the-scenes mechanism that was making "ns_returnfile X" return a
> file other than X. And generally speaking, I'd say it's perfectly
> reasonable for a developer to believe that "ns_returnfile X" actually will
> return file X.
>
> - John
>
>
> --
> AOLserver - http://www.aolserver.com/
>
> To Remove yourself from this list, simply send an email to <[EMAIL
> PROTECTED]> with the
> body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
> field of your email blank.
>
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
