According to Berthold Cogel:
> 'language' is the language used in the templates.
> The replacements in the template paths is working. But for the includes
> it is ignored. If I uncomment the definition of 'language' in this
> configuration, this value is used for the includes. Somehow attributes
> set in the search forms are ignored in the include directive.
>
> -------------------------:<-------------------------------------------
>
> # config file for ht://Dig.
> #
> # .uni-koeln.de
> #
> # faculty
> #
> # Suche fuer Institute, Standart-Vorlage
>
> basedir: /htdig
> #language: de
>
> # allowed attributes
> allow_in_form: matches_per_page \
> script_name \
> faculty \
> language
You shouldn't need matches_per_page in allow_in_form, as the "matchesperpage"
input parameter already overrides the matches_per_page attribute.
> # database definitions
> include ${basedir}/conf/lib/db_uklan.conf
>
> # language dependend definitions
> include ${basedir}/conf/lib/locale_de.conf
>
> # search algorithms
> include ${basedir}/conf/lib/search_${language}.conf
>
> # lists in search form
> include ${basedir}/conf/lib/forms_${language}.conf
>
> # definitions for search results
> include ${basedir}/conf/lib/results_${language}.conf
>
> document_root: /www/docs
> template_dir: /suche/htdig
> image_url_prefix: /suche/htdig/img
> star_blank: ${image_url_prefix}/star_blank.gif
> star_image: ${image_url_prefix}/star.gif
>
> common_dir: ${document_root}${template_dir}
>
> search_results_header: ${common_dir}/${language}_faculty_header.html
> search_results_footer: ${common_dir}/${language}_faculty_footer.html
> search_results_wrapper: ${common_dir}/${language}_faculty_wrapper.html
> syntax_error_file: ${common_dir}/${language}_faculty_syntax.html
> nothing_found_file: ${common_dir}/${language}_faculty_nomatch.html
I just thought you should be aware of the potential security implications
of the above constructs. There is no checking done to see if ${language}
contains path name components, so it might be possible to use this to
access files in other directories.
One way you could avoid this, and get includes working at the same time,
would be to patch in some handling of the "language" input parameter into
htsearch/htsearch.cc, just like it does with "config" to make sure there
are no "./" strings anywhere in it, and if it's OK stick it in the config
list before reading in the config file. Try this patch and see if it does
the trick...
--- htsearch/htsearch.cc.orig Tue Feb 15 16:17:13 2000
+++ htsearch/htsearch.cc Tue May 22 16:34:15 2001
@@ -152,6 +152,9 @@ main(int ac, char **av)
reportError(form("Unable to read configuration file '%s'",
configFile.get()));
}
+ // Allow ${language} in includes, but make sure it's secure...
+ if (input.exists("language") && strstr(input["language"], "./") == NULL)
+ config.Add("language", input["language"]);
config.Read(configFile);
if (input.exists("method"))
You'll still want to keep "language" in allow_in_form, so it gets
propagated to the template variable LANGUAGE for use in follow-up
search forms, as well as added to PAGELIST buttons, unless you also
patch Display.cc to handle this directly.
--
Gilles R. Detillieux E-mail: <[EMAIL PROTECTED]>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba Phone: (204)789-3766
Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930
_______________________________________________
htdig-general mailing list <[EMAIL PROTECTED]>
To unsubscribe, send a message to <[EMAIL PROTECTED]> with a
subject of unsubscribe
FAQ: http://htdig.sourceforge.net/FAQ.html
