Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)


Subject: Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)
From: Torsten Neuer (tneuer@inwise.de)
Date: Tue Sep 05 2000 - 01:10:51 PDT


Manuel Lemos wrote:
>
> >> >At first glance, I would say that there is a possible security hole
> >> >in this class since the htsearch parameters are not shell-escapes.
> >> >This could allow the execution of arbitrary commands.
> >>
> >> I'm not sure how that may happen because the search words, eventually
> >> passed as submitted form values, are URLEncoded and then passed to htsearch
> >> in the QUERY_STRING environment variable. I wonder if URLEncoding would
> >> not prevent all possible attacks.
>
> >Hmm.. I think it will prevent most possible attacks, but not all.
> >One reason for this is, that shell-escaping is platform dependant and
> >therefore
> >must be handled differently on different OS platforms by the scripting
> >engine
> >whereas URLencoding is not platform dependant.
>
> I guess you are right. I may add shell escaping, but now I'm not sure
> what should be escaped. I have something like:
>
> Exec("QUERY_STRING=\"words=".UrlEncode($text)."\" /usr/local/htdig/cgi-bin/htsearch ");
>
> I wonder if just escaping the result or UrlEncode call would do. What do you think?

It depends upon the parameters of the query string. Some parts need to
be urlencoded, since they might contain characters which must be passed
to htsearch in an encoded way. Others can be passed to htsearch as is.

In the wrapper I've written some time ago (see contrib section of
ftp.htdig.org),
I used the following code to invoke htsearch from PHP:

    Exec($this->htsearch_bin." \"".
         "config=".$this->config()."&".
         "words=".EscapeShellCmd(UrlEncode($the_words))."&".
         "keywords=".EscapeShellCmd(UrlEncode($the_keywords))."&".
         "page=".((string)$page_val)."&".
         "sort=".$this->sort()."&".
         "format=".$this->format()."&".
         "method=".$this->method()."&".
         "matchesperpage=".$this->matches_per_page()."&".
         "exclude=".$this->exclude()."&".
         "restrict=".$this->restrict()."\"",
         &$this->result_data);

As you can see, there is also no need to set up any environment
variables,
since htsearch is invoked in commandline mode.

cheers,

  Torsten

-- 
InWise - Wirtschaftlich-Wissenschaftlicher Internet Service GmbH
Waldhofstraße 14                            Tel: +49-4101-403605
D-25474 Ellerbek                            Fax: +49-4101-403606
E-Mail: info@inwise.de            Internet: http://www.inwise.de

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>



This archive was generated by hypermail 2b28 : Tue Sep 05 2000 - 01:13:34 PDT