I’m trying to find a replacement for CGI::Session::FileStore which works
"just like CGI::Session::MemoryStore" (from my perspective, at least),
except that it actually saves the session hash to disk.
I don’t want my objects all converted to Strings.
I don’t want my objects to be tainted (if they weren’t tainted before).
I don’t want my objects frozen.
Like I said, just like MemoryStore. I tried using PStore (there was code
for a PStoreStore on the list a while back, and a buggier one more
recently), and I tried using Marshal just straight, but things keep getting
tainted, and frozen (so I can’t even untaint them).
I just want my session back…
Thoughts? Solutions? Am I going about this all wrong?
PHP made this part really easy (granted, at the expense of being totally
insecure). Isn’t there something at least semi-easy in Ruby?
this was suggested by matz, but who knows if my implementation is the best
one. i’m using in TONS of cgi programs however!
-a
···
On Wed, 20 Nov 2002, Chris wrote:
Hello,
I’m trying to find a replacement for CGI::Session::FileStore which works
“just like CGI::Session::MemoryStore” (from my perspective, at least),
except that it actually saves the session hash to disk.
I don’t want my objects all converted to Strings.
I don’t want my objects to be tainted (if they weren’t tainted before).
I don’t want my objects frozen.
Like I said, just like MemoryStore. I tried using PStore (there was code
for a PStoreStore on the list a while back, and a buggier one more
recently), and I tried using Marshal just straight, but things keep getting
tainted, and frozen (so I can’t even untaint them).
I just want my session back…
Thoughts? Solutions? Am I going about this all wrong?
PHP made this part really easy (granted, at the expense of being totally
insecure). Isn’t there something at least semi-easy in Ruby?
Many thanks for any help,
Chris
–
====================================
Ara Howard
NOAA Forecast Systems Laboratory
Information and Technology Services
Data Systems Group
R/FST 325 Broadway
Boulder, CO 80305-3328
Email: ahoward@fsl.noaa.gov
Phone: 303-497-7238
Fax: 303-497-7259
====================================
Just to make sure, though, I tried your PStore. Again, the session hash is
coming back tainted and the keys and values are tainted and frozen, so I
can’t untaint them. Does this not happen to you?
I am using mod_ruby, which I believe sets the $SAFE level to 1. Is the
$SAFE level causing things to get frozen somehow? Is mod_ruby doing this?
Or is this just how Marshal works?
Hmmm…
···
----- Original Message -----
From: “ahoward” ahoward@fsl.noaa.gov
Newsgroups: comp.lang.ruby
To: “Chris” nemo@hellotree.com
Sent: Tuesday, November 19, 2002 7:41 PM
Subject: Re: untainted, unfrozen, honest-to-god session data!
this was suggested by matz, but who knows if my implementation is the best
one. i’m using in TONS of cgi programs however!
-a
Hello,
I’m trying to find a replacement for CGI::Session::FileStore which works
“just like CGI::Session::MemoryStore” (from my perspective, at least),
except that it actually saves the session hash to disk.
I don’t want my objects all converted to Strings.
I don’t want my objects to be tainted (if they weren’t tainted before).
I don’t want my objects frozen.
Just to make sure, though, I tried your PStore. Again, the session hash is
coming back tainted and the keys and values are tainted and frozen, so I
can’t untaint them. Does this not happen to you?
I am using mod_ruby, which I believe sets the $SAFE level to 1. Is the
$SAFE level causing things to get frozen somehow? Is mod_ruby doing this?
Or is this just how Marshal works?
the data is not frozen, but is tainted. there is nothing in my code which
does this, and i had a peek into session.rb too - seems like there isn’t
anthing there either (but i’ve been up for 20 hours)
i’m guessing the frozen is a mod_ruby thing?
-a
···
On Wed, 20 Nov 2002, Chris wrote:
----- Original Message -----
From: “ahoward” ahoward@fsl.noaa.gov
Newsgroups: comp.lang.ruby
To: “Chris” nemo@hellotree.com
Sent: Tuesday, November 19, 2002 7:41 PM
Subject: Re: untainted, unfrozen, honest-to-god session data!
this was suggested by matz, but who knows if my implementation is the best
one. i’m using in TONS of cgi programs however!
-a
Hello,
I’m trying to find a replacement for CGI::Session::FileStore which works
“just like CGI::Session::MemoryStore” (from my perspective, at least),
except that it actually saves the session hash to disk.
I don’t want my objects all converted to Strings.
I don’t want my objects to be tainted (if they weren’t tainted before).
I don’t want my objects frozen.
–
====================================
Ara Howard
NOAA Forecast Systems Laboratory
Information and Technology Services
Data Systems Group
R/FST 325 Broadway
Boulder, CO 80305-3328
Email: ahoward@fsl.noaa.gov
Phone: 303-497-7238
Fax: 303-497-7259
====================================
Well, after closer inspection, I think I have narrowed down the freezing
problem some. The problem seems to be with Hash objects only. All of the
keys of the session hash are frozen. All of the keys of all of the hashes in the session hash are also frozen. And everything, everything is
tainted, except for Fixnums, true, false, and nil.
So I have no idea why this is happening. I, too, have looked around and
have found nothing.
the data is not frozen, but is tainted. there is nothing in my code which
does this, and i had a peek into session.rb too - seems like there isn’t
anthing there either (but i’ve been up for 20 hours)
i’m guessing the frozen is a mod_ruby thing?
···
----- Original Message -----
I don’t want my objects all converted to Strings.
I don’t want my objects to be tainted (if they weren’t tainted before).
I don’t want my objects frozen.
I’d prefer a real solution (you know, CGI::Session::MemoryLikeFileStore),
but at this point even a workaround would be nice.
So, like I was saying…
···
----- Original Message -----
Well, after closer inspection, I think I have narrowed down the freezing
problem some. The problem seems to be with Hash objects only. All of the
keys of the session hash are frozen. All of the keys of all of the hashes in the session hash are also frozen. And everything, everything is
tainted, except for Fixnums, true, false, and nil.
I guess I should have said that all non-immediate values were tainted. But
I forgot Symbols! Indeed, symbols are not tainted, either. Also, if I use
symbols for my hash keys, they are not frozen, either. Since I was (at
least so far) only using Strings for my hash keys, I could switch to symbols
with no real problem… right?
My concern is Marshalling symbols. I thought that Symbols weren’t
necessarily always the same. Now in mod_ruby, the ruby program is always
running, right? So the Symbols would always be the same unless I restarted
httpd, right? I could detect that easily enough.
Still, does this seem like a bad idea to anyone?
Like I said, I just want my session back, just like I left it!
String hash keys are copied and frozen. This is intended behavior.
If you want to preserve original strings, put them in the value, i.e.
hash[key] = [key, value]
Session data are tainted, because they are external. Maybe there’s a
smarter way to untaint trusted external data. But I have no idea
right now. Currently, You have to remove taintedness by yourself
using “untaint”.
matz.
···
In message “Re: untainted, unfrozen, honest-to-god session data!” on 02/11/20, “Chris” nemo@hellotree.com writes:
Well, after closer inspection, I think I have narrowed down the freezing
problem some. The problem seems to be with Hash objects only. All of the
keys of the session hash are frozen. All of the keys of all of the hashes in the session hash are also frozen. And everything, everything is
tainted, except for Fixnums, true, false, and nil.
So I have no idea why this is happening. I, too, have looked around and
have found nothing.
My concern is Marshalling symbols. I thought that Symbols weren't
necessarily always the same. Now in mod_ruby, the ruby program is always
running, right? So the Symbols would always be the same unless I restarted
httpd, right?
When ruby marshal a symbol it store the _string_, when it reload it it
re-create the symbol from the string.
Session data are tainted, because they are external. Maybe there’s a
smarter way to untaint trusted external data. But I have no idea
right now. Currently, You have to remove taintedness by yourself
using “untaint”.
The session data is not external, but the key is. I don’t know how
this changes the discussion, but it seems important to me.
In message “Re: untainted, unfrozen, honest-to-god session data!” on 02/11/22, Patrick May patrick-may@monmouth.com writes:
Session data are tainted, because they are external. Maybe there’s a
smarter way to untaint trusted external data. But I have no idea
right now. Currently, You have to remove taintedness by yourself
using “untaint”.
The session data is not external, but the key is. I don’t know how
this changes the discussion, but it seems important to me.
Ah, I meant “external” as data read from the file. Session data is
published to the file, then read from the file.
I don’t understand. When you say “key”, do you mean the session id (which
is read in from the cookie)?
If so, yes, that should be tainted, which I guess would taint the session
data… is that what you’re saying?
Huh… then I guess you wouldn’t want to untaint the session data until you
have verified that the session id was valid (like checking remote ip and
port are the same as last time, and session hasn’t timed out, etc).
Ah, I meant “external” as data read from the file. Session data is
published to the file, then read from the file.
Double ah. One of the things Tom and I discovered about a “web”
enviroment is that much of what a CGI library provides should be
treated like the Kernel module, like a Web::Kernel. We were thinking
about IO behaviour (:puts should send things to the browser, etc.),
but I also think it applies to this sort of thing, where “external”
means something different.
I guess I should ensure that Narf’s Web::Session untaints from the
files it wrote, since that cooresponds to what the web programmer
would consider “external”.
I wonder what other surprises are tucked away in this problem?
