Subject: Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)
From: Manuel Lemos (firstname.lastname@example.org)
Date: Mon Sep 04 2000 - 15:32:47 PDT
On 04-Sep-00 06:12:33, you wrote:
>> >> application: PHP interface to ht://Dig 2000.09.03
>> >> author: Manuel Lemos <email@example.com>
>> >> license: freely distributable
>> >> category: Web/Development
>> >> homepage: http://freshmeat.net/redir/homepage/968017154/
>> >> download: http://freshmeat.net/redir/download/968017154/
>> >At first glance, I would say that there is a possible security hole
>> >in this class since the htsearch parameters are not shell-escapes.
>> >This could allow the execution of arbitrary commands.
>> I'm not sure how that may happen because the search words, eventually
>> passed as submitted form values, are URLEncoded and then passed to htsearch
>> in the QUERY_STRING environment variable. I wonder if URLEncoding would
>> not prevent all possible attacks.
>Hmm.. I think it will prevent most possible attacks, but not all.
>One reason for this is, that shell-escaping is platform dependant and
>must be handled differently on different OS platforms by the scripting
>whereas URLencoding is not platform dependant.
I guess you are right. I may add shell escaping, but now I'm not sure
what should be escaped. I have something like:
Exec("QUERY_STRING=\"words=".UrlEncode($text)."\" /usr/local/htdig/cgi-bin/htsearch ");
I wonder if just escaping the result or UrlEncode call would do. What do you think?
Web Programming Components using PHP Classes.
Look at: firstname.lastname@example.org">http://phpclasses.UpperDesign.email@example.com
-- E-mail: firstname.lastname@example.org URL: http://www.mlemos.e-na.net/ PGP key: http://www.mlemos.e-na.net/ManuelLemos.pgp --
------------------------------------ To unsubscribe from the htdig mailing list, send a message to email@example.com You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>
This archive was generated by hypermail 2b28 : Mon Sep 04 2000 - 20:19:36 PDT