Description of the problem

Although tick_foswiki.pl is run (e.g. through a cron job) no CGI session files are deleted.

Diagnosis

Looking at the method expireDeadSessions in LoginManager.pm 
        my @stat = stat("$Foswiki::cfg{WorkingDir}/tmp/$file");
  
        my $lat = $stat[9] || $stat[10] || 0;
        unlink $file if ( $time - $lat >= $exp );

The problem is the unlink line. Here the path is missing! 
        unlink "$Foswiki::cfg{WorkingDir}/tmp/$file" if ( $time - $lat >= $exp );
Since $file is untainted, I hope there's no problem with my solution, above.

This path is neccessary because the cgisession-files are (normally) not in the current directory. This is especially true, if you use the documented cron-job entry, cf. tick_foswiki.pl 
# It is intended to be run as a cron job (remember it has to be run
# by a user who can write files created by the webserver user!)
# For example,
#
# 0 0 * * 0 cd /usr/foswiki/bin && perl ../tools/tick_foswiki.pl

-- ChristianLudwig - 26 Jan 2009

Confirmed.

I believe the fix you suggested is OK. I came to the exact same solution.

The $file is untainted and I am sure the $Foswiki::cfg{WorkingDir} is considered part of the code files and not tainted either.

This bug is so severe that I will put it on the known issues page.

-- KennethLavrsen - 26 Jan 2009

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads