From: Geoff H. <ghu...@ws...> - 2002-10-04 21:00:59
|
On Fri, 4 Oct 2002, Gilles Detillieux wrote: > However, I think in practice a lot of these are actually supposed to > be integer-only. I think we'd need to check over how all attributes > are used and label them consistently. Good point. > defaults.cc. They're implemented in htsearch, but nothing in htdig tags > words with their corresponding flag values yet. Once upon a time, I put in the code for capitals--basically when everything is "normalized" to lowercase, it checks to see if the strings changed and tags the word accordingly. (As I've done the mifluz code, I've found places like this where code seems to be missing--perhaps "migrated" to htword/mifluz by Loic.) > All this raises the question of whether we should be listing CGI input > parameters in attrs.html (which is generated from defaults.cc). To me, Hmm. I thought one reason for doing this was to allow config-file overrides for most, if not all CGI input. Yes, we should probably enhance the hts_form.html file too, if not make it auto-generated. > These PR# style bug numbers are from our old bug tracking database, prior > to our move to SourceForge, and I don't think that database is accessible > anywhere anymore. At the time of the move, I think Geoff created new > bug tracking entries for old bug reports that were still opened, so the > STATUS file should be updated to reflect the new numbers. I'll try to look those up now. Yes, the SF bug database "got" everything from the old DB that wasn't closed. > to avoid opening up big security holes (see myvictim.com URL above). > It shouldn't be used for any attribute that defines part or all of a > file name. The config input parameter is checked for pathname components, > but none of the other input parameters are. Yes, I'm not even sure the current documentation for allow_in_form is good enough for this yet. Perhaps it should give an explicit example of bad behavior with a note explaining how you can shoot yourself in the foot. -- -Geoff Hutchison Williams Students Online http://wso.williams.edu/ |