[BioRuby] RFC Caching (was BioRuby standards)
Pjotr Prins
pjotr2008 at thebird.nl
Thu Sep 18 06:32:37 UTC 2008
Hi Naohisa,
On Thu, Sep 18, 2008 at 12:16:59PM +0900, Naohisa GOTO wrote:
> Hi Pjotr,
>
> If you don't want to implement any access control,
> using world writable directory like /tmp (comes from
> ENV['TMPDIR'] or Dir.tmpdir) by default should be disabled,
> because this is vulnerable to a symbolic link attack.
>
> About symbolic link attack, please refer documents:
> http://www.codeproject.com/KB/web-security/TemporaryFileSecurity.aspx
> (Note that Ruby's standard TempFile has no problem.)
I agree - assuming you are running a webservice for microarrays.
> When the "cache" directory isn't explicitly specified
> by user by using the environment variable BIORUBY_CACHE
> (or command-line options of custom application),
> doing without cache should be the default.
NCBI won't be happy with that. But if that is what Bioruby wants...
It is not only about my own bandwidth ;-).
> It is also good to raise SecurityError when the specified
> directory is writable by everyone.
I'll remove tmpdir - I introduced it because of an earlier mail.
Disabling the cache is easy - off course. Another option is to use
TmpFiles and keep track of those in a Hash (I'd rather not have large
IO objects in memory). OK, that is what I'll implement - assuming you
want to include the microarray stuff in Bioruby.
Pj.
More information about the BioRuby
mailing list