Re: [htdig] Silly restrict questions


Gilles Detillieux (grdetil@scrc.umanitoba.ca)
Fri, 29 Oct 1999 14:09:28 -0500 (CDT)


According to Anton Mc Kee:
> I have tried this <input type="hidden" name="restrict"
> value="http://product1.domain.com">
>
> however I still get results from the other web servers. Which if I did have
> an intranet would be a big mistake as even the mere names on files would be
> enough to breach security.

I can't see anything wrong with the way you're using restrict above.
I don't know why it's not working. Are you sure there are no typos
in the form, in that tag or elsewhere? Is the tag between the <form>
and </form> tags? Does the restrict value show up in URLs in the page
list at the bottom of search results?

Anyway, you can't rely on the restrict field, even once you get it
working, as a means of security. Any CGI input parameter can be easily
overriden by the user. If your database contains sensitive information,
you should hide it away on a secure site, accessible only by those who
are authorized. What's to stop users from entering an URL like this
into their browser's location window?

   http://product1.domain.com/cgi-bin/htsearch?restrict=&words=confidential

Even if the matching documents themselves are on a secure site, htsearch
will happily report excerpts from them in the search results if the
secure documents are indexed in an unsecured database.

-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig@htdig.org containing the single word unsubscribe in the SUBJECT of the message.



This archive was generated by hypermail 2.0b3 on Fri Oct 29 1999 - 12:19:09 PDT