I suspect that the correct thing to be looking for is slash '/' which
would offer the opportunity of putting a config file in an arbitrary
location (your HT://Dig config directory is not world-writeable, I hope).
Tim
On 26 May 1998, heddy Boubaker wrote:
>
> <> "Andrew" == Andrew Scherpbier <[EMAIL PROTECTED]> writes:
>
> Andrew> Let me explain why I did what I did...
> Andrew> [...]
> Andrew> allowing to specify a configuration file in an HTML form is
> Andrew> a security risk.
>
> hi Andrew,
>
> Good point here ;-) I didn't thought about security issues.
>
> Andrew> The logic with the dot stuff is simply to prevent *any* relative path
> Andrew> to be specified. I guess a less stringent rule would be to disallow
> Andrew> any values that contain "..".
>
> Ok ! so for those who are interested in security issues and want dots in they
> config files change line 108 of the htsearch/htsearch.cc file from that:
>
> if (input.exists("config") && !strchr(input["config"], '.'))
>
> to that:
>
> if (input.exists("config") && !strstr(input["config"], ".."))
>
> That should be good now ??
>
> --
>
> - heddy -
> ----------------------------------------------------------------------
> To unsubscribe from the htdig mailing list, send a message to
> [EMAIL PROTECTED] containing the single word "unsubscribe" in
> the body of the message.
>
Tim Frost, Systems Engineer Email: [EMAIL PROTECTED]
EDS (NZ) Ltd, Voice: +64 4 495-0504
P.O. Box 3647, Fax: +64 4 495-0473
Wellington, New Zealand.
----------------------------------------------------------------------
To unsubscribe from the htdig mailing list, send a message to
[EMAIL PROTECTED] containing the single word "unsubscribe" in
the body of the message.
