Geoff Hutchison (ghutchis@wso.williams.edu)
Fri, 25 Jun 1999 13:41:38 -0400
> Hi, Geoff and company. I'm a bit concerned about the latest input
> parameters added to htsearch:
My mistake. They were in the patch queue and I let them go through. I
don't like them one bit either and I had a long discussion with the
author about using allow_in_form. I guess his main point was that
allow_in_form only works when you can *get* to the config directory
(which is a pretty good point).
What I *meant* to do was to send the patches to the list and discuss
them. I was a bit hurried lat night, so I clearly messed up.
> At the very least, I think these two parameters should be selectable by
> a compile-time option, and disabled by default.
This might work.
> - introduce a new directive "include_if_exists" (or extend
> the current "include" directive to this meaning):
> Same usage, but more admin-friendly ;-)
You mention directives in the config file itself. Include won't include
files if they don't exist. :-)
While I certainly agree (and raised many of these points with the
author), he does have a point. He wants to have users pick the headers
and footers and whatnot. But he doesn't want to force them to use
allow_in_form for all of those directives to redirect from ${commondir}.
Yet this introduces security problems.
What if we have some way of setting a list of allowable directories in
the main config file, which OKs the allow_in_form of something like
common_dir and then reads in the other config? This just occurred to me
and seems like a more secure way of doing it. Or we just point out (like
I did) that you can have sub-directories in your config directory.
-- -Geoff Hutchison Williams Students Online http://wso.williams.edu/ ------------------------------------ To unsubscribe from the htdig3-dev mailing list, send a message to htdig3-dev@htdig.org containing the single word "unsubscribe" in the SUBJECT of the message.
This archive was generated by hypermail 2.0b3 on Fri Jun 25 1999 - 09:56:56 PDT