Re: [htdig] small patch to allow_in_form feature


Alexander Bergolth (leo@strike.wu-wien.ac.at)
Wed, 3 Feb 1999 14:39:06 +0100 (MEZ)


On Tue, 2 Feb 1999, Gilles Detillieux wrote:

> According to Alexander Bergolth:
> > I changed config["allow_in_form"] to input->get(form_vars[i]) in
> > Display::setVariables and in Display::createURL.
>
> Wait, no, setVariables() should still use config[form_vars[i]], not
> input->get(form_vars[i])!

Ooops!
Once again, you are right...
That must be the weather, I didn't do anything clever yesterday... :)

> Of course, the allow_in_form attribute itself should only be read from
> the config dictionary, and not the input dictionary, because you don't
> want users to be able to override it!

In the for-loops only the list of variables that are specified in the
allow_in_form attribute are processed anyway. So if you donīt say
something like
allow_in_form: foo bar allow_in_form
in the config file, nobody should be able to override this via query
string.

Thanks,
         Leo

-----------------------------------------------------------------------
Alexander (Leo) Bergolth leo@leo.wu-wien.ac.at
WU-Wien - Zentrum fuer Informatikdienste http://leo.wu-wien.ac.at
Info Center
In a world without walls and fences, who needs windows and gates?

------------------------------------
To unsubscribe from the htdig mailing list, send a message to
htdig@htdig.org containing the single word "unsubscribe" in
the SUBJECT of the message.



This archive was generated by hypermail 2.0b3 on Wed Feb 10 1999 - 17:09:05 PST