Re: [htdig] htsearch and alternate config file

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

According to Omar Thameen:
> I've solved this.  In htsearch.cc, you have to
> #define ALLOW_INSECURE_CGI_CONFIG
> and recompile.
> 
> I tried to define this in acconfig.h per comments in that file, but
> it had no effect on the compiled binary (perhaps this is a bug?).
> 
> Omar
> 
> On Wed, Feb 06, 2002 at 09:08:19PM -0500, I wrote:
> > Hi Folks,
> > 
> > I'm completely stumped.  I'm trying to get the get htsearch to take
> > an alternate config file so that I can maintain separate databases
> > for separate VirtualHosts.  I've successfully built a database.
> > I can run htsearch -c /path/to/dir/htdig.conf at the command line,
> > and it works.
> > 
> > However, nothing I do when submitting the search.html form works.

Bad idea!  Defining ALLOW_INSECURE_CGI_CONFIG does just that - it allows
an insecure CGI program onto your web server, by disabling the security
bug fix in htsearch in 3.1.6 (see http://www.securityfocus.com/bid/3410).

This should only be done as a last recourse, when all other avenues
failed.  The preferred ways of specifying the config file are as follows,
in order of preference:

1) use the "config" input parameter in your search form
   (see http://www.htdig.org/FAQ.html#q4.2)

2) if you need to get at files outside the default CONFIG_DIR, use a
   wrapper script that redefines the CONFIG_DIR environment variable,
   then use the config input parameter as above.  You said you tried
   this and it failed, but I don't know why.  Your script looks OK to
   me, but maybe you didn't set "config" properly in your form.

3) use a wrapper script to force htsearch to use a specific config
   file using the -c option.  This is especially for cases where you
   want to prevent the user from selecting other config files in your
   CONFIG_DIR using the config input parameter.  For 3.1.6, this should
   be done by using the GET method to call the wrapper script, and in
   this script you must unset the REQUEST_METHOD enviroment variable
   and pass "$QUERY_STRING" as a single argument to htsearch.

4) configure and compile different htsearch binaries with different
   compile-time definitions of CONFIG_DIR, so you can avoid wrapper
   scripts altogether.

5) define ALLOW_INSECURE_CGI_CONFIG and recompile htsearch if all other
   approaches above fail for you.

As for the acconfig.h file, I'm not sure about it, but it may be that
it's only used by autoconf and has no effect on the usual configure and
make approach to building the code.  It doesn't seem to be referenced
by any of the source files in the 3.1.6 distribution.  Maybe someone more
familiar with autoconf can comment?

-- 
Gilles R. Detillieux              E-mail: <gr...@sc...>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930