Comment 0 for bug 7128

Package: libruby1.8
Version: 1.8.1+1.8.2pre1-3
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

I just noticed that CGI::Session's FileStore (and presumably PStore)
implementations store session information insecurely. They simply
create files, ignoring permission issues. I assume the only thing
affecting permissions is the value of umask. For both my user, as
well as www-data, session files end up in /tmp with permission
0644. This is quite bad; an unsuspecting user might be storing
sensitive information in session variables, assuming that the class
stores data securely.

The following script illustrates the problem:

#!/usr/bin/ruby -w

require 'cgi'
require 'cgi/session'

cgi = CGI.new('html4')
session = CGI::Session.new(cgi, 'prefix' => 'blah_')
Kernel.system("ls -l " + Dir.glob("/tmp/blah_*").join(" "))

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-k7
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages libruby1.8 depends on:
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an

-- no debconf information