I don't really recommend using diatheke as anything but a demo/sample app. It's out of date, ill-maintained, and was never that good to begin with. If you're setting up a Bible site, I would suggest trying to use the BibleTool.
That said, your best means of really securing web-executed diatheke use is to make sure that the user (e.g. apache) doesn't have permission to do anything more than necessary. In other words, don't give it permissions to execute programs like ls/rm/mv. As it stands, the diatheke CGI script does two things: 1) It quotes the search box text, as Daniel said. 2) It escapes quote marks from the search box text. (See the shell_escape function in the CGI script.) So [';ls /etc] in the search box will execute [diatheke -b KJV -s phrase -k 'Jesus\'; ls /etc'], which is neither interesting nor a security issue. --Chris Linas S. wrote: > Hello, > > I try to make online Bible script using diatheke. I got problem- security. > Users can put everything in a search box on the web page, e.g.: > Jesus;ls /etc > If I run such the command: > diatheke -b KJV -s phrase -k Jesus; ls /etc > I will get list of /etc directory. > I could check user input for characters other than letters a - z, but > users can enter Greek text or Hebrew. > Is here any "safe" way of using diatheke? > > Regards, > > Linas S. > > _______________________________________________ > sword-devel mailing list: sword-devel@crosswire.org > http://www.crosswire.org/mailman/listinfo/sword-devel > Instructions to unsubscribe/change your settings at above page _______________________________________________ sword-devel mailing list: sword-devel@crosswire.org http://www.crosswire.org/mailman/listinfo/sword-devel Instructions to unsubscribe/change your settings at above page
