Andrew Scherpbier (email@example.com)
Mon, 25 May 1998 08:56:47 -0700
heddy Boubaker wrote:
> <> "Neil" == Neil Cutcliffe <firstname.lastname@example.org> writes:
> Neil> I noticed htsearch doesn't accept a conf file name (via the 'config'
> Neil> form field) if the file name has any dots ('.') in it? Does anyone
> Neil> know the reason for this restriction?
> Yes this is a bug ... in design (IMHO), htsearch try to be smarter than
> needed ;-) or think we're completely dumb and we didn't read the doc ;-) so
> it try to interpret some input you give him, in that case it interpret
> the value of the config file like that: "if there is already a dot in config
> file name that should mean the user have not read the doc and already put the
> extension .conf in that name, so I'll not add it myself".
> You really CAN'T have dots in config files names unless you patch the code
> or add .conf at the end of the name unlike what is written in the doc. And
> here is a small patch, just change the line 108 of the htsearch/htsearch.cc
> file from that:
> if (input.exists("config") && !strchr(input["config"], '.'))
> to that:
> if (input.exists("config"))
> But after that don't add .conf at the end anymore ...
> That's all folks
Let me explain why I did what I did... (You may or may not agree with me on
this issue. So be it.)
My feeling is that allowing to specify a configuration file in an HTML form
is a security risk. Anyone can write an HTML form, and if someone has access
to the machine he/she could write their own config file that publishes some
file that shouldn't be published. Their custom HTML can now cause htsearch
to read their own config file and thereby publish the sensetive file.
I understand that this is not a very likely thing to happen, but then again,
who would have thought that finger could be coerced into returning any file
on a system, right? :-)
The logic with the dot stuff is simply to prevent *any* relative path to be
I guess a less stringent rule would be to disallow any values that contain
"..". (Absolute paths are out of the question, naturally...)
-- Andrew Scherpbier <email@example.com> Contigo Software <http://www.contigo.com/> ---------------------------------------------------------------------- To unsubscribe from the htdig mailing list, send a message to firstname.lastname@example.org containing the single word "unsubscribe" in the body of the message.
This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:26:18 PST