[BioRuby] RFC Caching (was BioRuby standards)
Pjotr Prins
pjotr2008 at thebird.nl
Tue Sep 23 11:58:52 UTC 2008
Hi Naohisa,
I fixed the Cache to be secure. It will use a safe Tmpdir if no
directory is specified and raise SecurityErrors when appropriate.
See http://github.com/pjotrp/bioruby/tree/master
Pj.
On Thu, Sep 18, 2008 at 08:32:37AM +0200, Pjotr Prins wrote:
> Hi Naohisa,
>
> On Thu, Sep 18, 2008 at 12:16:59PM +0900, Naohisa GOTO wrote:
> > Hi Pjotr,
> >
> > If you don't want to implement any access control,
> > using world writable directory like /tmp (comes from
> > ENV['TMPDIR'] or Dir.tmpdir) by default should be disabled,
> > because this is vulnerable to a symbolic link attack.
> >
> > About symbolic link attack, please refer documents:
> > http://www.codeproject.com/KB/web-security/TemporaryFileSecurity.aspx
> > (Note that Ruby's standard TempFile has no problem.)
>
> I agree - assuming you are running a webservice for microarrays.
>
> > When the "cache" directory isn't explicitly specified
> > by user by using the environment variable BIORUBY_CACHE
> > (or command-line options of custom application),
> > doing without cache should be the default.
>
> NCBI won't be happy with that. But if that is what Bioruby wants...
> It is not only about my own bandwidth ;-).
>
> > It is also good to raise SecurityError when the specified
> > directory is writable by everyone.
>
> I'll remove tmpdir - I introduced it because of an earlier mail.
>
> Disabling the cache is easy - off course. Another option is to use
> TmpFiles and keep track of those in a Hash (I'd rather not have large
> IO objects in memory). OK, that is what I'll implement - assuming you
> want to include the microarray stuff in Bioruby.
>
> Pj.
> _______________________________________________
> BioRuby mailing list
> BioRuby at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/bioruby
More information about the BioRuby
mailing list