John, It is not a bug in ns_returnfile.
tom jackson On Tue, 2008-08-19 at 11:52 -0700, John Caruso wrote: > On Tuesday 10:40 AM 8/19/2008, Jim Davidson wrote: > >I would suggest > >the code snippet of create temp file and use fastpath to return > >contents is not a use case I was solving for or recommend. > > It's also not the use case in question--just a simple illustration of the > problem. Here's a more realistic template of a use case (which closely > mirrors the actual code that led to the discovery of the bug): > > eval exec /some/external/program --output-file $tempfile > ns_returnfile 200 text/plain $tempfile > ns_unlink -nocomplain $tempfile > > In other words, run an external program that writes its output to > $tempfile, return that file to the user, and delete the file. This is a > case in which ns_returnfile seems like the obvious and appropriate > call--but if this procedure is run on behalf of users A and B within the > same second (which is common on an active web server), and the results in > $tempfile are the same length, B will get A's output. Depending on what > information the external program writes to $tempfile, this could easily > represent a security breach. > > That example involves timing between two different users, but something > like the following will also trigger the bug: > > foreach user $users { > eval exec /some/external/program --output-file $tempfile --user > $user > ns_returnfile 200 text/plain $tempfile > } > > Again, this code looks perfectly appropriate, but it's very likely to > return incorrect data due to this bug. Note that the ns_unlink isn't even > required in this case. > > Also, regarding "use fastpath to return content": the developer in this > case didn't know fastpath from a hole in the ground--after all, they were > calling ns_returnfile, not fastpath. fastpath is just the > behind-the-scenes mechanism that was making "ns_returnfile X" return a > file other than X. And generally speaking, I'd say it's perfectly > reasonable for a developer to believe that "ns_returnfile X" actually will > return file X. > > - John > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to <[EMAIL > PROTECTED]> with the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: > field of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.