Re: [htdig] expansion of attributes in include directive

Wed, 23 May 2001 07:38:22 -0700 

Gilles Detillieux wrote:
> 
> You shouldn't need matches_per_page in allow_in_form, as the "matchesperpage"
> input parameter already overrides the matches_per_page attribute.
> 

OK! I missed that.

> 
> I just thought you should be aware of the potential security implications
> of the above constructs.  There is no checking done to see if ${language}
> contains path name components, so it might be possible to use this to
> access files in other directories.
> 
> One way you could avoid this, and get includes working at the same time,
> would be to patch in some handling of the "language" input parameter into
> htsearch/htsearch.cc, just like it does with "config" to make sure there
> are no "./" strings anywhere in it, and if it's OK stick it in the config
> list before reading in the config file.  Try this patch and see if it does
> the trick...
> 
> --- htsearch/htsearch.cc.orig   Tue Feb 15 16:17:13 2000
> +++ htsearch/htsearch.cc        Tue May 22 16:34:15 2001
> @@ -152,6 +152,9 @@ main(int ac, char **av)
>         reportError(form("Unable to read configuration file '%s'",
>                          configFile.get()));
>      }
> +    // Allow ${language} in includes, but make sure it's secure...
> +    if (input.exists("language") && strstr(input["language"], "./") == NULL)
> +       config.Add("language", input["language"]);
>      config.Read(configFile);
> 
>      if (input.exists("method"))
> 
> You'll still want to keep "language" in allow_in_form, so it gets
> propagated to the template variable LANGUAGE for use in follow-up
> search forms, as well as added to PAGELIST buttons, unless you also
> patch Display.cc to handle this directly.
> 
> --
> Gilles R. Detillieux              E-mail: <[EMAIL PROTECTED]>
> Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
> Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
> Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930


It does ...  :-))

Thanks a lot.


Berthold Cogel


-- 
Dr. rer. nat. Berthold Cogel                   University of Cologne
E-Mail: [EMAIL PROTECTED]                 ZAIK-US (RRZK)
Tel.:   +49(0)221/478-7020                     Robert-Koch-Str. 10
FAX:    +49(0)221/478-5568                     D-50931 Cologne - Germany

_______________________________________________
htdig-general mailing list <[EMAIL PROTECTED]>
To unsubscribe, send a message to <[EMAIL PROTECTED]> with a 
subject of unsubscribe
FAQ: http://htdig.sourceforge.net/FAQ.html

Reply via email to