Hi, Geoff and company. I'm a bit concerned about the latest input parameters
added to htsearch:
Thu Jun 24 22:28:44 1999 Geoff Hutchison <[EMAIL PROTECTED]>
* htsearch/htsearch.cc (main): Add support for form inputs
configdir and commondir as contributed by Herbert Martin Dietze
<[EMAIL PROTECTED]>.
* htsearch/Display.cc (createURL): If configdir and commondir are
defined, add them to URLs sent for other pages.
Personally, I don't think these are a good idea. First of all, the
common_dir configuration attribute already could be overridden by an input
parameter common_dir, as long as you add common_dir to allow_in_form.
All the new commondir input parameter does is remove the underscore,
and remove the control from the site administrator. Now anybody can
override commondir to have a look around at other directories, whether
the site administrator want to allow that or not.
Similarly, allowing anybody to override the configuration directory
defeats the security check in htsearch, to prevent ./ from being used
in the config input parameter. Now you can try to get your .conf file
from anywhere.
At the very least, I think these two parameters should be selectable by
a compile-time option, and disabled by default.
--
Gilles R. Detillieux E-mail: <[EMAIL PROTECTED]>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba Phone: (204)789-3766
Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930
------------------------------------
To unsubscribe from the htdig3-dev mailing list, send a message to
[EMAIL PROTECTED] containing the single word "unsubscribe" in
the SUBJECT of the message.
