Item4898 and the related debian cve show that we should avoid writing session files un-necessarily, as that leads to needing looser file and dir permissions than sensible, thus allowing a lookin for hackers.
--
TWiki:Main/SvenDowideit
- 15 Nov 2007
Session files are not written when the
command_line
context is set (which it should be automatically for all scripts invoked from the command-line via UI.pm). Scripts that do
not go via UI.pm - such as
rest
- set
command_line
themselves. The only other scripts that I'm aware of that might have a problem are the tests, and most of the time we deliberately
want the tests to use a query / session. Some other scripts, such as mailnotify, have been sloppily written and don't set
command_line
. So I have modified TWiki.pm to set
command_line
if no other initial context is given, and there is no query. I believe that should answer.
Checkins Rev:15712 Rev:15713 mistakenly attributed to 4982
CC