I have been making the assumption that in MediaWiki, the $_SESSION is hidden from the user. While applications may use the session to obtain data that's later shown to the user, there should be no way for the user to obtain the entire $_SESSION contents.
So, for instance, I can hide a temporary secret there.
Is that a good assumption?
2010/9/23 Neil Kandalgaonkar neilk@wikimedia.org:
I have been making the assumption that in MediaWiki, the $_SESSION is hidden from the user. While applications may use the session to obtain data that's later shown to the user, there should be no way for the user to obtain the entire $_SESSION contents.
So, for instance, I can hide a temporary secret there.
Is that a good assumption?
As far as I know, yes. MediaWiki sets a session cookie with an ID that uniquely identifies the session. The session data itself is stored in some session storage (by default we let PHP handle it, on WMF we stick it in memcached, I believe). So unless there's some ridiculous vulnerability allowing people to obtain the value of arbitrary keys in $_SESSION, you should be fine AFAIK.
Roan Kattouw (Catrope)
As far as I know, yes. MediaWiki sets a session cookie with an ID that uniquely identifies the session. The session data itself is stored in some session storage (by default we let PHP handle it, on WMF we stick it in memcached, I believe). So unless there's some ridiculous vulnerability allowing people to obtain the value of arbitrary keys in $_SESSION, you should be fine AFAIK.
The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily.
-- Ryan Lane
In fact, I advised Aurthur not to store exactly that (credit card information) in sessions for this reason - but I also think there are few things that are as sensitive as credit card information, passwords, and social security numbers.
- Trevor
On 9/23/10 2:24 PM, Ryan Lane wrote:
As far as I know, yes. MediaWiki sets a session cookie with an ID that uniquely identifies the session. The session data itself is stored in some session storage (by default we let PHP handle it, on WMF we stick it in memcached, I believe). So unless there's some ridiculous vulnerability allowing people to obtain the value of arbitrary keys in $_SESSION, you should be fine AFAIK.
The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily.
-- Ryan Lane
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 9/23/10 2:24 PM, Ryan Lane wrote:
The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily.
Good point, but in this case I'm just storing the path to a temporary file.
The file isn't even sensitive data; it's just a user-uploaded media file for which the user has not yet selected a license, although we anticipate they will in a few minutes.
On Fri, Sep 24, 2010 at 1:36 AM, Neil Kandalgaonkar neilk@wikimedia.org wrote:
On 9/23/10 2:24 PM, Ryan Lane wrote:
The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily.
Good point, but in this case I'm just storing the path to a temporary file.
The file isn't even sensitive data; it's just a user-uploaded media file for which the user has not yet selected a license, although we anticipate they will in a few minutes.
If it's user-uploaded, take care of garbage collection; actually, how does PHP handle it if you upload a file and then don't touch it during the script's runtime? Will it automatically be deleted after the script is finished or after a specific time?
Marco
On 24/09/10 10:00, Marco Schuster wrote:
If it's user-uploaded, take care of garbage collection; actually, how does PHP handle it if you upload a file and then don't touch it during the script's runtime? Will it automatically be deleted after the script is finished or after a specific time?
It's deleted on request shutdown.
-- Tim Starling
* Tim Starling tstarling@wikimedia.org [Fri, 24 Sep 2010 11:15:41 +1000]:
On 24/09/10 10:00, Marco Schuster wrote:
If it's user-uploaded, take care of garbage collection; actually,
how
does PHP handle it if you upload a file and then don't touch it
during
the script's runtime? Will it automatically be deleted after the script is finished or after a specific time?
It's deleted on request shutdown.
One probably can rename it to another temporary name? Then move to final location during the next request, according to previousely passed cookie?
Speaking of cookies, there are millions ways of looking at them, FF's WebDeveloper extension, HTTP headers extension, Wireshark application to name just few. Absolutely non-secure, when unencrypted. Dmitriy
On 2010-09-24, Dmitriy Sintsov wrote:
One probably can rename it to another temporary name? Then move to final location during the next request, according to previousely passed cookie?
Speaking of cookies, there are millions ways of looking at them, FF's WebDeveloper extension, HTTP headers extension, Wireshark application to name just few. Absolutely non-secure, when unencrypted.
Session data is not stored in cookies, only a unique session identifier is passed to the client.
Robert
* Robert Leverington robert@rhl.me.uk [Fri, 24 Sep 2010 06:57:03 +0100]:
On 2010-09-24, Dmitriy Sintsov wrote:
One probably can rename it to another temporary name? Then move to
final
location during the next request, according to previousely passed cookie?
Speaking of cookies, there are millions ways of looking at them,
FF's
WebDeveloper extension, HTTP headers extension, Wireshark
application
to
name just few. Absolutely non-secure, when unencrypted.
Session data is not stored in cookies, only a unique session
identifier
is passed to the client.
I think the question wasn't about the session data (part of which (username,id) is passed via cookies, but you're right, only a hash), but about uploading the file in few "stages". Dmitriy
Neil: Yes.
Tim Starling wrote:
On 24/09/10 10:00, Marco Schuster wrote:
If it's user-uploaded, take care of garbage collection; actually, how does PHP handle it if you upload a file and then don't touch it during the script's runtime? Will it automatically be deleted after the script is finished or after a specific time?
It's deleted on request shutdown.
-- Tim Starling
If the file is not moved away, there's no point in storing its path in $_SESSION as it won't be available on next request (it could be used for parameter passing in globals but that's not proper style).
If the file is moved somewhere else, then you need to garbage collect it in case the upload is never finished. A find -delete from cron removing files other than a couple of days could be enough. It would be nice to be able to attach delete handlers to memcached keys for the cases when there's "something more" that needs deleting (this is the same problem we also had with the temp dbs for selenium tests).
On 24/09/10 01:36, Neil Kandalgaonkar wrote:
Good point, but in this case I'm just storing the path to a temporary file.
The file isn't even sensitive data; it's just a user-uploaded media file for which the user has not yet selected a license, although we anticipate they will in a few minutes.
Hello Neil,
The file path might be sensitive, you do not want to potentially expose your path hierarchy. At least, I would not do it :)
About your issue, assuming the media file has been entered in the image/media database table :
- When the user is redirected to a new page upon upload, you might just pass the file ID by parameter / session.
- When the user is allowed to upload several files and then is prompted for licences, you might just look at the database for files owned by user for which licence is null.
wikitech-l@lists.wikimedia.org