<> "Andrew" == Andrew Scherpbier <[EMAIL PROTECTED]> writes:
Andrew> Let me explain why I did what I did...
Andrew> [...]
Andrew> allowing to specify a configuration file in an HTML form is
Andrew> a security risk.
hi Andrew,
Good point here ;-) I didn't thought about security issues.
Andrew> The logic with the dot stuff is simply to prevent *any* relative path
Andrew> to be specified. I guess a less stringent rule would be to disallow
Andrew> any values that contain "..".
Ok ! so for those who are interested in security issues and want dots in they
config files change line 108 of the htsearch/htsearch.cc file from that:
if (input.exists("config") && !strchr(input["config"], '.'))
to that:
if (input.exists("config") && !strstr(input["config"], ".."))
That should be good now ??
--
- heddy -
----------------------------------------------------------------------
To unsubscribe from the htdig mailing list, send a message to
[EMAIL PROTECTED] containing the single word "unsubscribe" in
the body of the message.
