Re: [htdig] Ampersand in URL


Subject: Re: [htdig] Ampersand in URL
From: Gilles Detillieux (grdetil@scrc.umanitoba.ca)
Date: Mon Jan 17 2000 - 10:30:56 PST


According to Torsten Neuer:
> The first problem seems mainly to be related to the shell handling the
> ampersand
> character as a special character.. I suspect "parsedoc.pl" not to
> shell-escape the
> command string correctly, thus trying to have the shell execute
> "line.ps" as a
> command itself. This could also be a security issue if there is such an
> executa-
> ble on the system that could be run.
>
> Maybe it can be fixed by shell-escaping "$parsecmd" in "parsedoc.pl"?

No, there was indeed a bug in 3.1.2 and earlier, in that the URL parameter
that htdig passed to the external parser was not quoted, so when popen()
called the shell, the shell would parse the "&" character. This was fixed
in 3.1.3. The handling of & entities in URLs was also fixed in 3.1.3,
but was conditional on translate_amp, which some thought it shouldn't be.
3.1.3 also broke handling of bare ampersands in URLs, which a lot of
pages still use. All of this should now work correctly in 3.1.4.

In 3.2.0b1 (under development), parsing & entities in URLs is still
conditional on translate_amp, but there's no longer any good reason for
the translate_* attributes to be false, as htsearch will now correctly
do the reverse translation. I recommend that the defaults for these
attributes now be "true" in 3.2.x.

-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this.



This archive was generated by hypermail 2b28 : Mon Jan 17 2000 - 10:31:28 PST