According to Geoff Hutchison:
> This was forwarded to the htdig-bugs address. I think it's a very
> good idea and certainly would solve the problems for Russian ht://Dig
> users in a very elegant way. However, I think I'd like to have a
> bunch of eyes go over this and think about possible security problems
> before we take it.
>
> I'm potentially worried about scenarios where the config operation
> can get ruined by someone setting an environment variable.
>
> Of course, if we go to a validating config parser like we talked
> about recently, people will have to specify which variables should be
> expanded, which decreases the risk considerably.
>
> Thoughts?
I liked the general idea when I saw this, but I'm not wild about how
it's hidden in the syntax (i.e. $(var) vs. ${var}, which until now were
semantically equivalent). I don't know how much potential for abuse there
is, as you can't arbitrarily set any environment variable through the CGI
interface, only some like HTTP_USER_AGENT, PATH_INFO, PATH_TRANSLATED,
QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REQUEST_URI, SCRIPT_FILENAME,
and SCRIPT_NAME. As long as you avoid those in your config files or
templates, or at least are very carefull about how they're used, you
should be safe.
However, it might make sense to treat this idea like the allow_in_form
attribute, by adding an allow_in_environment attribute. The idea is
similar, except instead of a CGI input parameter from the form, it's an
environment variable that becomes a config attribute and corresponding
template variable. I had also been considering an allow_in_template
attribute, to specify which attributes can be used in templates, but
without allowing overrides of these attributes. I guess we'd also need
to decide if this would work only in htsearch, or in the other programs
too. The patch given would affect all programs, but I think the feature
was needed only in htsearch, for selecting template files.
--
Gilles R. Detillieux E-mail: <[EMAIL PROTECTED]>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba Phone: (204)789-3766
Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930
------------------------------------
To unsubscribe from the htdig3-dev mailing list, send a message to
[EMAIL PROTECTED]
You will receive a message to confirm this.
