Re: [htdig] using a "secure" search results .

Subject: Re: [htdig] using a "secure" search results .
From: Gilles Detillieux (
Date: Wed Apr 05 2000 - 11:07:16 PDT

According to J. op den Brouw:
> On Wed, 5 Apr 2000, Budd, S wrote:
> > We want the index of the whole college in one data base.
> > but we want two searches
> > 1. returns results for only departments a,b.c web servers
> > 2. returns results for only departments d,e ( where all pages are
> > protected by apache configuration ) webserver
> We have a Intranet site, similar to this setup.
> > Is the following a good method to prevent the departments
> > from viewing each others index results or is their a simpler method.
> > We do not want the limit_urls_to to be in the search form as obviously
> > a user could just remove this. We do not want the protected pages to appear
> > in the search results.
> >
> > Run two versions of htsearch ( each with a different config file ) from a
> > different
> > cgi-bin directory which has been protected with
> > an Apache authorisation set-up allowing dept a,b,c to use say htsearchabc
> > and dept. d, e to use say htsearchde.
> >
> > the two htsearches would have default config files with
> > appropriate limit_urls_to or exclude_urls set in them.

No, limit_urls_to and exclude_urls are only used by htdig, not htsearch.
In htsearch, you must use the restrict and exclude input parameters.
This is obviously not secure, as anyone can override any input parameter,
whether it's in the search form or not. E.g.:

> This will work. You can do it another way: write a wrapper script
> that checks the REMOTE_ADDR environment variable and call htsearch
> with the correct config file, or set the exclude and restrict
> CGI parameters to the correct value. With the latter, you can
> have one database and one config file. There are some tricky
> things to take care of with these CGI parameters when you allow
> user to set them via a form, so you better don't give this to users.

Yes, the wrapper script would need to get the whole query string, and
override any and all user-supplied values for restrict and exclude with
the values you want to impose. If there's any possibility that the user
could defeat this mechanism, your system is not secure.

The other option would be to modify htsearch/ (main) to ignore
any restrict and exclude input parameter, and fetch them from the config
object instead, so that these could be set in htsearch's config file.
For this to be secure, you'd need to run each group of departments using
a protected htsearch binary (or wrapper script) which has its own unique
CONFIG_DIR, so that you can't use the config file for a different group
of departments from within your group's htsearch binary.

Gilles R. Detillieux              E-mail: <>
Spinal Cord Research Centre       WWW:
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930

------------------------------------ To unsubscribe from the htdig mailing list, send a message to You will receive a message to confirm this.

This archive was generated by hypermail 2b28 : Wed Apr 05 2000 - 10:06:12 PDT