From: Gilles D. <gr...@sc...> - 2002-02-07 18:54:07
|
According to Omar Thameen: > I've solved this. In htsearch.cc, you have to > #define ALLOW_INSECURE_CGI_CONFIG > and recompile. > > I tried to define this in acconfig.h per comments in that file, but > it had no effect on the compiled binary (perhaps this is a bug?). > > Omar > > On Wed, Feb 06, 2002 at 09:08:19PM -0500, I wrote: > > Hi Folks, > > > > I'm completely stumped. I'm trying to get the get htsearch to take > > an alternate config file so that I can maintain separate databases > > for separate VirtualHosts. I've successfully built a database. > > I can run htsearch -c /path/to/dir/htdig.conf at the command line, > > and it works. > > > > However, nothing I do when submitting the search.html form works. Bad idea! Defining ALLOW_INSECURE_CGI_CONFIG does just that - it allows an insecure CGI program onto your web server, by disabling the security bug fix in htsearch in 3.1.6 (see http://www.securityfocus.com/bid/3410). This should only be done as a last recourse, when all other avenues failed. The preferred ways of specifying the config file are as follows, in order of preference: 1) use the "config" input parameter in your search form (see http://www.htdig.org/FAQ.html#q4.2) 2) if you need to get at files outside the default CONFIG_DIR, use a wrapper script that redefines the CONFIG_DIR environment variable, then use the config input parameter as above. You said you tried this and it failed, but I don't know why. Your script looks OK to me, but maybe you didn't set "config" properly in your form. 3) use a wrapper script to force htsearch to use a specific config file using the -c option. This is especially for cases where you want to prevent the user from selecting other config files in your CONFIG_DIR using the config input parameter. For 3.1.6, this should be done by using the GET method to call the wrapper script, and in this script you must unset the REQUEST_METHOD enviroment variable and pass "$QUERY_STRING" as a single argument to htsearch. 4) configure and compile different htsearch binaries with different compile-time definitions of CONFIG_DIR, so you can avoid wrapper scripts altogether. 5) define ALLOW_INSECURE_CGI_CONFIG and recompile htsearch if all other approaches above fail for you. As for the acconfig.h file, I'm not sure about it, but it may be that it's only used by autoconf and has no effect on the usual configure and make approach to building the code. It doesn't seem to be referenced by any of the source files in the 3.1.6 distribution. Maybe someone more familiar with autoconf can comment? -- Gilles R. Detillieux E-mail: <gr...@sc...> Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil Dept. Physiology, U. of Manitoba Phone: (204)789-3766 Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930 |