> Hi, Geoff and company. I'm a bit concerned about the latest input
> parameters added to htsearch:
My mistake. They were in the patch queue and I let them go through. I
don't like them one bit either and I had a long discussion with the
author about using allow_in_form. I guess his main point was that
allow_in_form only works when you can *get* to the config directory
(which is a pretty good point).
What I *meant* to do was to send the patches to the list and discuss
them. I was a bit hurried lat night, so I clearly messed up.
> At the very least, I think these two parameters should be selectable by
> a compile-time option, and disabled by default.
This might work.
> - introduce a new directive "include_if_exists" (or extend
> the current "include" directive to this meaning):
> Same usage, but more admin-friendly ;-)
You mention directives in the config file itself. Include won't include
files if they don't exist. :-)
While I certainly agree (and raised many of these points with the
author), he does have a point. He wants to have users pick the headers
and footers and whatnot. But he doesn't want to force them to use
allow_in_form for all of those directives to redirect from ${commondir}.
Yet this introduces security problems.
What if we have some way of setting a list of allowable directories in
the main config file, which OKs the allow_in_form of something like
common_dir and then reads in the other config? This just occurred to me
and seems like a more secure way of doing it. Or we just point out (like
I did) that you can have sub-directories in your config directory.
--
-Geoff Hutchison
Williams Students Online
http://wso.williams.edu/
------------------------------------
To unsubscribe from the htdig3-dev mailing list, send a message to
[EMAIL PROTECTED] containing the single word "unsubscribe" in
the SUBJECT of the message.
