Comments (6)
@tv42 What's the security issue exactly? They're all in tests and go test
code already has full system access anyway. Also, the last 3 db_test.go
references are only for generating string representations of DB
. The example_test.go
references are there because it's cleaner to show in the Examples section of godocs.
from bolt.
Fixed in #127.
from bolt.
Sorry for losing track of this ticket. The bad code is gone, replying here for the sake of historical record.
The reason for avoiding hardcoded paths to files inside /tmp is that on multi-user systems, that behavior lets other users attack you. Classic attacks target root, but this is a general user isolation crossing technique.
Some more modern less-UNIX environments have all kinds of mitigating mechanisms, but even if the attacks themselves are stopped, if a program assumes /tmp/foo is safe to mess with, what happens when you run two copies of the program? Or two different users run the program? Or someone does "touch /tmp/foo" and goes on a vacation? (Cue rant about how /tmp should not be shared across users anymore, in this day and age of bind mounts and what not.)
http://www.infosecwriters.com/texts.php?op=display&id=159
https://en.wikipedia.org/wiki/Symlink_race
from bolt.
Thanks for following up on the ticket. By the way, I really liked your LA gophers talk on Bolt. I thought it was a really straightforward and good intro.
from bolt.
Thanks! Feel free to steal my way of explaining it ;)
from bolt.
Definitely! I'm going to start closing up the "documentation" GitHub issues. It'll be useful for writing a Getting Started section.
from bolt.
Related Issues (20)
- C/C++ binding for key/value storage HOT 3
- Security at rest HOT 1
- Can I use the same key for nested bucket and filed in a bucket/ HOT 1
- Document for New Contributors?
- page already freed HOT 5
- How to check if a file is a valid boltdb database without panicing HOT 2
- Check is a database open HOT 1
- what kind fo key can enhance write speed HOT 1
- concurrent writes and deadlocks HOT 2
- [RFE] change sequence number HOT 2
- [RFE] Database Generation ID HOT 7
- Database file size not updating after reaching 1GB HOT 3
- Meta2 make DBFile invalid HOT 1
- how to get the value that the current cursor points to HOT 3
- how to use boltdb for multiple files HOT 2
- page already freed on certain builds
- Not able to create subbucket inside loop
- Tons of compilation errors HOT 1
- permission denied in user home directory when open boltdb path HOT 1
- Cursor.Last() returns nil for non-empty bucket
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bolt.