* lib/cgi/session.rb (CGI::Session::FileStore#initialize): do not

use a session id as a filename.
* lib/cgi/session/pstore.rb (CGI::Session::PStore#initialize): ditto.
* lib/cgi/session/pstore.rb (CGI::Session::PStore#initialize): use
  Dir::tmpdir.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@6815 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,13 @@
+Tue Aug 24 16:41:48 2004  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* lib/cgi/session.rb (CGI::Session::FileStore#initialize): do not
+	  use a session id as a filename.
+
+	* lib/cgi/session/pstore.rb (CGI::Session::PStore#initialize): ditto.
+
+	* lib/cgi/session/pstore.rb (CGI::Session::PStore#initialize): use
+	  Dir::tmpdir.
+
 Tue Aug 24 14:32:17 2004  Shugo Maeda  <shugo@ruby-lang.org>
 
 	* lib/cgi/session.rb (CGI::Session::FileStore#initialize): untaint

lib/cgi/session.rb

@@ -331,10 +331,6 @@ class CGI
     # user is responsible for converting other types to Strings when
     # storing and from Strings when retrieving.
     class FileStore
-      def check_id(id) #:nodoc:
-	/[^0-9a-zA-Z]/ =~ id.to_s ? false : true
-      end
-
       # Create a new FileStore instance.
       #
       # This constructor is used internally by CGI::Session.  The
@@ -361,10 +357,9 @@ class CGI
 	dir = option['tmpdir'] || Dir::tmpdir
 	prefix = option['prefix'] || ''
 	id = session.session_id
-	unless check_id(id)
+        require 'digest/md5'
-	  raise ArgumentError, "session_id `%s' is invalid" % id
+        md5 = Digest::MD5.hexdigest(id)[0,16]
-	end
+	@path = dir+"/"+prefix+md5
-	@path = dir+"/"+prefix+id.dup.untaint
 	unless File::exist? @path
 	  @hash = {}
 	end

lib/cgi/session/pstore.rb

@@ -31,10 +31,6 @@ class CGI
     # library file pstore.rb.  Session data is marshalled and stored
     # in a file.  File locking and transaction services are provided.
     class PStore
-      def check_id(id) #:nodoc:
-	/[^0-9a-zA-Z]/ =~ id.to_s ? false : true
-      end
-
       # Create a new CGI::Session::PStore instance
       #
       # This constructor is used internally by CGI::Session.  The
@@ -58,13 +54,12 @@ class CGI
       # This session's PStore file will be created if it does
       # not exist, or opened if it does.
       def initialize session, option={}
-	dir = option['tmpdir'] || ENV['TMP'] || '/tmp'
+	dir = option['tmpdir'] || Dir::tmpdir
 	prefix = option['prefix'] || ''
 	id = session.session_id
-	unless check_id(id)
+        require 'digest/md5'
-	  raise ArgumentError, "session_id `%s' is invalid" % id
+        md5 = Digest::MD5.hexdigest(id)[0,16]
-	end
+	path = dir+"/"+prefix+md5
-	path = dir+"/"+prefix+id
 	path.untaint
 	unless File::exist? path
 	  @hash = {}