[bug-Class-DBI@xx.xxxx.xxx: [cpan #6434] LiveObject caching may return results from other DBs when using custom db_Main]

[prev] [thread] [next] [Date index for 2004/05/28]

--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


Tony


--ew6BAiZeqk4r7MaW
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <www-data@xxxxxx.xxxxxxxxxx.xxx>
X-Original-To: tony+tmtm-tony@xxxx.xxxxx.xxx
Delivered-To: tony+tmtm-tony@xxxx.xxxxx.xxx
Received: by soto.kasei.com (Postfix, from userid 107)
	id C1AED1CD9A; Thu, 27 May 2004 07:57:49 +0100 (BST)
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170])
	by soto.kasei.com (Postfix) with SMTP id 0AC2C1CCC1
	for <tony@xxxx.xxx>; Thu, 27 May 2004 07:57:47 +0100 (BST)
Received: (qmail 29781 invoked by uid 225); 27 May 2004 06:57:45 -0000
Delivered-To: TMTM@xxxx.xxx
Received: (qmail 29767 invoked by alias); 27 May 2004 06:57:44 -0000
X-Spam-Status: No, hits=0.0 required=7.0
	tests=
X-Spam-Check-By: la.mx.develooper.com
Received: from pallas.eruditorum.org (HELO pallas.eruditorum.org) (63.251.136.85)
  by la.mx.develooper.com (qpsmtpd/0.27.1) with ESMTP; Wed, 26 May 2004 23:57:44 -0700
Received: by pallas.eruditorum.org (Postfix, from userid 33)
	id D1BB684C11C; Thu, 27 May 2004 02:57:18 -0400 (EDT)
Subject: [cpan #6434] LiveObject caching may return results from other DBs when using custom db_Main 
From: "Guest via RT" <bug-Class-DBI@xx.xxxx.xxx>
Reply-To: bug-Class-DBI@xx.xxxx.xxx
In-Reply-To: <rt-6434@cpan>
Message-ID: <rt-6434-19300.9.76851736534812@xxxx.xxx>
Precedence: bulk
X-RT-Loop-Prevention: cpan
RT-Ticket: cpan #6434
Managed-by: RT 2.0.15 (http://bestpractical.com/rt/)
RT-Originator: 
Date: Thu, 27 May 2004 02:57:18 -0400 (EDT)
To: undisclosed-recipients: ;
X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.15.10


This message about Class-DBI was sent to you by guest <> via rt.cpan.org

Full context and any attached attachments can be found at:
<URL: https://rt.cpan.org/Ticket/Display.html?id=6434 >

Class::DBI 0.96
Perl 5.8.0
RedHat 2.4.21-15.ELsmp
Apache 2.0.46
mod_perl 1.99

My mod_perl2 application uses a custom db_Main method to connect to a database based on some information in the URL.  The app may be called with, say, db=STORE_1 or db=STORE_2.

The %Live_Objects caching introduced in CDB 0.96 uses the class name and primary keys to identify cached objects but does not pay attention to which DB instance the object belongs.

Problem: In a persisted environment (mod_perl), if I retrieve an object with ID 123 from the STORE_1 database, it will be cached and subsequent queries for object with ID 123 in the STORE_2 database (or any other database accessed with this class) will return the cached object.  This is incorrect behavior and a potential SECURITY HOLE since users of STORE_2 may now see data from STORE_1 without authorization.

My Workaround: Use Class::CGI 0.95 which does not exhibit this problem.

Solution: You should incorporate the dbh returned by $class->db_Main as part of the key used in identifying LiveObjects.

--ew6BAiZeqk4r7MaW--