On Sat, 5 Oct 2002 06:39, Gilles Detillieux wrote: > According to Lachlan Andrew: > > I've updated defaults.cc to list all variables used > > by any of the programs (according to "grep config"), > > The distinction between "number" and "integer" attribute > I think we'd need to check over how all > attributes are used and label them consistently.
I guessed as much. I'll go through and to that. > The code support for author_factor, caps_factor, and > url_text_factor is not complete, so I assume this is why > the attributes weren't in defaults.cc. OK. How about including them in defaults.cc with a comment noting they're incomplete? > I think it would confuse the issue if we listed > CGI-only parameter names <in attr.html>. CGI > input parameters are listed in > http://www.htdig.org/hts_form.html Fair enough. > This second patch is a pretty dangerous one! The whole > reason for the allow_in_form is to let you define... Yes, I realise it is a rather scatter-gun approach, but I wasn't aware of allow_in_form. Once I've fixed default.cc, I'll redo this patch in line with your suggestions. Thanks for the clarifications :) > allow_in_form must be used very carefully to avoid > opening up big security holes (see myvictim.com URL > above). It shouldn't be used for any attribute that > defines part or all of a file name. The config input > parameter is checked for pathname components, but none of > the other input parameters are. For "filename-related" attributes, would it be worth (a) removing a leading "/" and (b) passing it through URL.cc's code to eliminate excess "../"s? (I'll read again through the checking of "config".) That way, even if the admin *does* choose to list them in allow_in_form, the danger is minimised. Thank you both for your useful feedback :) Lachlan -- Lachlan Andrew Phone: +613 8344-3816 Fax: +613 8344-6678 Dept of Electrical and Electronic Engg CRICOS Provider Code University of Melbourne, Victoria, 3010 AUSTRALIA 00116K ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ htdig-dev mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/htdig-dev
