[BioRuby] RFC Caching (was BioRuby standards)

Pjotr Prins pjotr2008 at thebird.nl
Tue Sep 23 11:58:52 UTC 2008


Hi Naohisa,

I fixed the Cache to be secure. It will use a safe Tmpdir if no
directory is specified and raise SecurityErrors when appropriate.

See http://github.com/pjotrp/bioruby/tree/master

Pj.

On Thu, Sep 18, 2008 at 08:32:37AM +0200, Pjotr Prins wrote:
> Hi Naohisa,
> 
> On Thu, Sep 18, 2008 at 12:16:59PM +0900, Naohisa GOTO wrote:
> > Hi Pjotr,
> > 
> > If you don't want to implement any access control,
> > using world writable directory like /tmp (comes from
> > ENV['TMPDIR'] or Dir.tmpdir) by default should be disabled,
> > because this is vulnerable to a symbolic link attack.
> > 
> > About symbolic link attack, please refer documents:
> > http://www.codeproject.com/KB/web-security/TemporaryFileSecurity.aspx
> > (Note that Ruby's standard TempFile has no problem.)
> 
> I agree - assuming you are running a webservice for microarrays.
> 
> > When the "cache" directory isn't explicitly specified
> > by user by using the environment variable BIORUBY_CACHE
> > (or command-line options of custom application),
> > doing without cache should be the default.
> 
> NCBI won't be happy with that. But if that is what Bioruby wants...
> It is not only about my own bandwidth ;-). 
> 
> > It is also good to raise SecurityError when the specified
> > directory is writable by everyone.
> 
> I'll remove tmpdir - I introduced it because of an earlier mail.
> 
> Disabling the cache is easy - off course. Another option is to use
> TmpFiles and keep track of those in a Hash (I'd rather not have large
> IO objects in memory). OK, that is what I'll implement - assuming you
> want to include the microarray stuff in Bioruby.
> 
> Pj.
> _______________________________________________
> BioRuby mailing list
> BioRuby at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/bioruby



More information about the BioRuby mailing list