[rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]
Jesse Vincent
jesse at bestpractical.com
Tue Nov 3 07:59:42 EST 2009
> This patch doesn't solve the issue. People still get mixed sessions (test was
> done after deleting all sessions from sessions table and restarting apache).
Hang on. is mod_cache caching more than the files marked "static, never
changes"? Since this patch should stop RT from putting cookie headers on
any static content (and a fair bit more taht we can get away without
them on)
-j
> > diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
> > index b82b638..dccf829 100755
> > --- a/lib/RT/Interface/Web.pm
> > +++ b/lib/RT/Interface/Web.pm
> > @@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage {
> > return unless $m->base_comp->path =~
> > RT->Config->Get('WebNoAuthRegex');
> >
> > # If it's a noauth file, don't ask for auth.
> > - SendSessionCookie();
> > $m->comp( { base_comp => $m->request_comp }, $m->fetch_next, %$ARGS );
> > $m->abort;
> > }
> >
>
>
> --
> Arkadiusz Miśkiewicz PLD/Linux Team
> arekm / maven.pl http://ftp.pld-linux.org/
>
--
More information about the rt-users
mailing list