Yes, you should not share CGI::Session files, it does lead to leakage, and really odd side effects.
Olivier Berger wrote: > Le mercredi 13 août 2008 à 16:19 +0200, Julien Cristau a écrit : >> On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote: >> >>> so Dmitry, >>> >>> if you were trying to actually help get this fixed, I presume you would >>> have suggested that I just patch the code to >>> >>> rm /tmp/twiki >>> and then create it? >>> >>> or what are you actually suggesting? >>> >> No. Don't touch/use predictable file names in /tmp. >> > > Which leads us again to something like /var/run/twiki/session/ > or /var/lib/twiki/tmp/session/ or some other custom path, with some > garbage collection (cronjob ?) and all the fuss ? > > Maybe there are best practice use of CGI::Session somewhere ? > > ... not to mention other uses of the other files created in /tmp/twiki > at the moment... but the most critical seems to be the dir creation in > the postinst. > > Or maybe simply not create a separate dir for session files and use > plain clear /tmp for CGI::Session files ? Unless that leads to potential > information leaks ? > > Follow-up to : > http://lists.debian.org/debian-devel/2008/08/msg00340.html ? > > My 2 cents, -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
