Re: htdig: htsearch doesn't accept dots '.' in conf file name


Tim Frost (tim@nz.eds.com)
Wed, 27 May 1998 11:45:30 +1200 (NZST)


I suspect that the correct thing to be looking for is slash '/' which
would offer the opportunity of putting a config file in an arbitrary
location (your HT://Dig config directory is not world-writeable, I hope).

Tim

On 26 May 1998, heddy Boubaker wrote:

>
> <> "Andrew" == Andrew Scherpbier <andrew@contigo.com> writes:
>
> Andrew> Let me explain why I did what I did...
> Andrew> [...]
> Andrew> allowing to specify a configuration file in an HTML form is
> Andrew> a security risk.
>
> hi Andrew,
>
> Good point here ;-) I didn't thought about security issues.
>
> Andrew> The logic with the dot stuff is simply to prevent *any* relative path
> Andrew> to be specified. I guess a less stringent rule would be to disallow
> Andrew> any values that contain "..".
>
> Ok ! so for those who are interested in security issues and want dots in they
> config files change line 108 of the htsearch/htsearch.cc file from that:
>
> if (input.exists("config") && !strchr(input["config"], '.'))
>
> to that:
>
> if (input.exists("config") && !strstr(input["config"], ".."))
>
> That should be good now ??
>
> --
>
> - heddy -
> ----------------------------------------------------------------------
> To unsubscribe from the htdig mailing list, send a message to
> htdig-request@sdsu.edu containing the single word "unsubscribe" in
> the body of the message.
>

Tim Frost, Systems Engineer Email: Tim.Frost@nz.eds.com
EDS (NZ) Ltd, Voice: +64 4 495-0504
P.O. Box 3647, Fax: +64 4 495-0473
Wellington, New Zealand.



This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:26:18 PST