Manuel Lemos wrote:
>
> >> >At first glance, I would say that there is a possible security hole
> >> >in this class since the htsearch parameters are not shell-escapes.
> >> >This could allow the execution of arbitrary commands.
> >>
> >> I'm not sure how that may happen because the search words, eventually
> >> passed as submitted form values, are URLEncoded and then passed to htsearch
> >> in the QUERY_STRING environment variable. I wonder if URLEncoding would
> >> not prevent all possible attacks.
>
> >Hmm.. I think it will prevent most possible attacks, but not all.
> >One reason for this is, that shell-escaping is platform dependant and
> >therefore
> >must be handled differently on different OS platforms by the scripting
> >engine
> >whereas URLencoding is not platform dependant.
>
> I guess you are right. I may add shell escaping, but now I'm not sure
> what should be escaped. I have something like:
>
> Exec("QUERY_STRING=\"words=".UrlEncode($text)."\" /usr/local/htdig/cgi-bin/htsearch
>");
>
> I wonder if just escaping the result or UrlEncode call would do. What do you think?
It depends upon the parameters of the query string. Some parts need to
be urlencoded, since they might contain characters which must be passed
to htsearch in an encoded way. Others can be passed to htsearch as is.
In the wrapper I've written some time ago (see contrib section of
ftp.htdig.org),
I used the following code to invoke htsearch from PHP:
Exec($this->htsearch_bin." \"".
"config=".$this->config()."&".
"words=".EscapeShellCmd(UrlEncode($the_words))."&".
"keywords=".EscapeShellCmd(UrlEncode($the_keywords))."&".
"page=".((string)$page_val)."&".
"sort=".$this->sort()."&".
"format=".$this->format()."&".
"method=".$this->method()."&".
"matchesperpage=".$this->matches_per_page()."&".
"exclude=".$this->exclude()."&".
"restrict=".$this->restrict()."\"",
&$this->result_data);
As you can see, there is also no need to set up any environment
variables,
since htsearch is invoked in commandline mode.
cheers,
Torsten
--
InWise - Wirtschaftlich-Wissenschaftlicher Internet Service GmbH
Waldhofstra�e 14 Tel: +49-4101-403605
D-25474 Ellerbek Fax: +49-4101-403606
E-Mail: [EMAIL PROTECTED] Internet: http://www.inwise.de
------------------------------------
To unsubscribe from the htdig mailing list, send a message to
[EMAIL PROTECTED]
You will receive a message to confirm this.
List archives: <http://www.htdig.org/mail/menu.html>
FAQ: <http://www.htdig.org/FAQ.html>
