According to Gilles Detillieux:
>Hi, Geoff and company. I'm a bit concerned about the latest input parameters
>added to htsearch:
>
> Thu Jun 24 22:28:44 1999 Geoff Hutchison <[EMAIL PROTECTED]>
>
> * htsearch/htsearch.cc (main): Add support for form inputs
> configdir and commondir as contributed by Herbert Martin Dietze
> <[EMAIL PROTECTED]>.
>
> * htsearch/Display.cc (createURL): If configdir and commondir are
> defined, add them to URLs sent for other pages.
>
>Personally, I don't think these are a good idea. First of all, the
>common_dir configuration attribute already could be overridden by an input
>parameter common_dir, as long as you add common_dir to allow_in_form.
>All the new commondir input parameter does is remove the underscore,
>and remove the control from the site administrator. Now anybody can
>override commondir to have a look around at other directories, whether
>the site administrator want to allow that or not.
>
>Similarly, allowing anybody to override the configuration directory
>defeats the security check in htsearch, to prevent ./ from being used
>in the config input parameter. Now you can try to get your .conf file
>from anywhere.
>
>At the very least, I think these two parameters should be selectable by
>a compile-time option, and disabled by default.
I agree with Gilles in believing of this to be a security hole.
I understand the reason for this option (to make it more user-
configurable), but there are other ways which are more secure
from my point of view:
- the "include" directive:
Can be used to include any user defined configuration. If
used in sequence after a default configuration, it will
override the default with user input. The search engine
admin could setup this directive for the user on request.
- introduce a new directive "include_if_exists" (or extend
the current "include" directive to this meaning):
Same usage, but more admin-friendly ;-)
With such a user defined configuration, there is IMHO no need for
any option passed to htsearch.
regards,
Torsten
--
InWise - Wirtschaftlich-Wissenschaftlicher Internet Service GmbH
Waldhofstra�e 14 Tel: +49-4101-403605
D-25474 Ellerbek Fax: +49-4101-403606
E-Mail: [EMAIL PROTECTED] Internet: http://www.inwise.de
------------------------------------
To unsubscribe from the htdig3-dev mailing list, send a message to
[EMAIL PROTECTED] containing the single word "unsubscribe" in
the SUBJECT of the message.
