Re: htdig: htsearch doesn't accept dots '.' in conf file name

heddy Boubaker (boubaker@cenatls.cena.dgac.fr)
26 May 1998 10:28:35 +0200

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Tressens Lionel: "compiling htdig"
Previous message: Mario Baetz: "Re: htdig: Trouble indexing my site . Help !"
In reply to: Gilles Lorphelin: "htdig: Trouble indexing my site . Help !"
Next in thread: Tim Frost: "Re: htdig: htsearch doesn't accept dots '.' in conf file name"

<> "Andrew" == Andrew Scherpbier <andrew@contigo.com> writes:

Andrew> Let me explain why I did what I did...
Andrew> [...]
Andrew> allowing to specify a configuration file in an HTML form is
Andrew> a security risk.

hi Andrew,

Good point here ;-) I didn't thought about security issues.

Andrew> The logic with the dot stuff is simply to prevent *any* relative path
Andrew> to be specified. I guess a less stringent rule would be to disallow
Andrew> any values that contain "..".

Ok ! so for those who are interested in security issues and want dots in they
config files change line 108 of the htsearch/htsearch.cc file from that:

   if (input.exists("config") && !strchr(input["config"], '.'))

  to that:

   if (input.exists("config") && !strstr(input["config"], ".."))

That should be good now ??

- heddy - ---------------------------------------------------------------------- To unsubscribe from the htdig mailing list, send a message to htdig-request@sdsu.edu containing the single word "unsubscribe" in the body of the message.

Next message: Tressens Lionel: "compiling htdig"
Previous message: Mario Baetz: "Re: htdig: Trouble indexing my site . Help !"
In reply to: Gilles Lorphelin: "htdig: Trouble indexing my site . Help !"
Next in thread: Tim Frost: "Re: htdig: htsearch doesn't accept dots '.' in conf file name"

This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:26:18 PST