Re: htdig: htsearch doesn't accept dots '.' in conf file name


heddy Boubaker (boubaker@cenatls.cena.dgac.fr)
26 May 1998 10:28:35 +0200


 <> "Andrew" == Andrew Scherpbier <andrew@contigo.com> writes:

Andrew> Let me explain why I did what I did...
Andrew> [...]
Andrew> allowing to specify a configuration file in an HTML form is
Andrew> a security risk.
 
 hi Andrew,
 
 Good point here ;-) I didn't thought about security issues.
 
Andrew> The logic with the dot stuff is simply to prevent *any* relative path
Andrew> to be specified. I guess a less stringent rule would be to disallow
Andrew> any values that contain "..".
 
 Ok ! so for those who are interested in security issues and want dots in they
 config files change line 108 of the htsearch/htsearch.cc file from that:

   if (input.exists("config") && !strchr(input["config"], '.'))
 
  to that:
  
   if (input.exists("config") && !strstr(input["config"], ".."))
 
 That should be good now ??

-- 

- heddy - ---------------------------------------------------------------------- To unsubscribe from the htdig mailing list, send a message to htdig-request@sdsu.edu containing the single word "unsubscribe" in the body of the message.



This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:26:18 PST