Re: htdig: htsearch doesn't accept dots '.' in conf file name

heddy Boubaker (
26 May 1998 10:28:35 +0200

 <> "Andrew" == Andrew Scherpbier <> writes:

Andrew> Let me explain why I did what I did...
Andrew> [...]
Andrew> allowing to specify a configuration file in an HTML form is
Andrew> a security risk.
 hi Andrew,
 Good point here ;-) I didn't thought about security issues.
Andrew> The logic with the dot stuff is simply to prevent *any* relative path
Andrew> to be specified. I guess a less stringent rule would be to disallow
Andrew> any values that contain "..".
 Ok ! so for those who are interested in security issues and want dots in they
 config files change line 108 of the htsearch/ file from that:

   if (input.exists("config") && !strchr(input["config"], '.'))
  to that:
   if (input.exists("config") && !strstr(input["config"], ".."))
 That should be good now ??


- heddy - ---------------------------------------------------------------------- To unsubscribe from the htdig mailing list, send a message to containing the single word "unsubscribe" in the body of the message.

This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:26:18 PST