On Fri, Mar 14, 2008 at 12:14:14AM +0100, Petr Baudis wrote: > +# projects list cache for busy sites with many projects; > +# if you set this to non-zero, it will be used as the cached > +# index lifetime in minutes > +# the cached list version is stored in /tmp and can be tweaked > +# by other scripts running with the same uid as gitweb - use this > +# only at secure installations; only single gitweb project root per > +# system is supported! > +our $projlist_cache_lifetime = 0; I think that would a situation where a uppercase disclaimer would be appropriate ;) In addition to the race condition problem mentioned in other mails it also has a symlink vulnerability. I think one should seriously consider reusing an existing caching solution instead of reinventing the wheel here. There are a lot of CPAN modules to do that and at least apache also has modules for that which you could use without any code changes at all... Gruesse, -- Frank Lichtenheld <frank@xxxxxxxxxxxxxx> www: http://www.djpig.de/ -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html