On Thu, Feb 07, 2002 at 12:53:58PM -0600, Gilles Detillieux wrote: > According to Omar Thameen: > > I've solved this. In htsearch.cc, you have to > > #define ALLOW_INSECURE_CGI_CONFIG > > and recompile. > > > Bad idea! Defining ALLOW_INSECURE_CGI_CONFIG does just that - it allows > an insecure CGI program onto your web server, by disabling the security > bug fix in htsearch in 3.1.6 (see http://www.securityfocus.com/bid/3410).
Thank you very much. This is exactly the information I was scouring the Internet for, but could not find. You should definitely include options 1-5 in the FAQ or right with the htsearch documentation, as they lead me to the solution. FYI, I wanted to have the config files in separate directories for organizational purposes, so #1 didn't work for me. The problem I had with #2 was solved by #3. Since I'm not trying to run this chrooted (just VirtualHosts), I don't need #4. Again, thank you. Omar > This should only be done as a last recourse, when all other avenues > failed. The preferred ways of specifying the config file are as follows, > in order of preference: > > 1) use the "config" input parameter in your search form > (see http://www.htdig.org/FAQ.html#q4.2) > > 2) if you need to get at files outside the default CONFIG_DIR, use a > wrapper script that redefines the CONFIG_DIR environment variable, > then use the config input parameter as above. You said you tried > this and it failed, but I don't know why. Your script looks OK to > me, but maybe you didn't set "config" properly in your form. > > 3) use a wrapper script to force htsearch to use a specific config > file using the -c option. This is especially for cases where you > want to prevent the user from selecting other config files in your > CONFIG_DIR using the config input parameter. For 3.1.6, this should > be done by using the GET method to call the wrapper script, and in > this script you must unset the REQUEST_METHOD enviroment variable > and pass "$QUERY_STRING" as a single argument to htsearch. > > 4) configure and compile different htsearch binaries with different > compile-time definitions of CONFIG_DIR, so you can avoid wrapper > scripts altogether. > > 5) define ALLOW_INSECURE_CGI_CONFIG and recompile htsearch if all other > approaches above fail for you. _______________________________________________ htdig-general mailing list <[EMAIL PROTECTED]> To unsubscribe, send a message to <[EMAIL PROTECTED]> with a subject of unsubscribe FAQ: http://htdig.sourceforge.net/FAQ.html
