Date: Tue, 22 May 2001 16:41:00 -0500 (CDT) From: Gilles Detillieux To: Berthold Cogel Cc: Geoff Hutchison , htdig-general Subject: Re: [htdig] expansion of attributes in include directive According to Berthold Cogel: > 'language' is the language used in the templates. > The replacements in the template paths is working. But for the includes > it is ignored. If I uncomment the definition of 'language' in this > configuration, this value is used for the includes. Somehow attributes > set in the search forms are ignored in the include directive. > > -------------------------:<------------------------------------------- > > # config file for ht://Dig. > # > # .uni-koeln.de > # > # faculty > # > # Suche fuer Institute, Standart-Vorlage > > basedir: /htdig > #language: de > > # allowed attributes > allow_in_form: matches_per_page \ > script_name \ > faculty \ > language You shouldn't need matches_per_page in allow_in_form, as the "matchesperpage" input parameter already overrides the matches_per_page attribute. > # database definitions > include ${basedir}/conf/lib/db_uklan.conf > > # language dependend definitions > include ${basedir}/conf/lib/locale_de.conf > > # search algorithms > include ${basedir}/conf/lib/search_${language}.conf > > # lists in search form > include ${basedir}/conf/lib/forms_${language}.conf > > # definitions for search results > include ${basedir}/conf/lib/results_${language}.conf > > document_root: /www/docs > template_dir: /suche/htdig > image_url_prefix: /suche/htdig/img > star_blank: ${image_url_prefix}/star_blank.gif > star_image: ${image_url_prefix}/star.gif > > common_dir: ${document_root}${template_dir} > > search_results_header: ${common_dir}/${language}_faculty_header.html > search_results_footer: ${common_dir}/${language}_faculty_footer.html > search_results_wrapper: ${common_dir}/${language}_faculty_wrapper.html > syntax_error_file: ${common_dir}/${language}_faculty_syntax.html > nothing_found_file: ${common_dir}/${language}_faculty_nomatch.html I just thought you should be aware of the potential security implications of the above constructs. There is no checking done to see if ${language} contains path name components, so it might be possible to use this to access files in other directories. One way you could avoid this, and get includes working at the same time, would be to patch in some handling of the "language" input parameter into htsearch/htsearch.cc, just like it does with "config" to make sure there are no "./" strings anywhere in it, and if it's OK stick it in the config list before reading in the config file. Try this patch and see if it does the trick... --- htsearch/htsearch.cc.orig Tue Feb 15 16:17:13 2000 +++ htsearch/htsearch.cc Tue May 22 16:34:15 2001 @@ -152,6 +152,9 @@ main(int ac, char **av) reportError(form("Unable to read configuration file '%s'", configFile.get())); } + // Allow ${language} in includes, but make sure it's secure... + if (input.exists("language") && strstr(input["language"], "./") == NULL) + config.Add("language", input["language"]); config.Read(configFile); if (input.exists("method")) You'll still want to keep "language" in allow_in_form, so it gets propagated to the template variable LANGUAGE for use in follow-up search forms, as well as added to PAGELIST buttons, unless you also patch Display.cc to handle this directly. -- Gilles R. Detillieux E-mail: Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil Dept. Physiology, U. of Manitoba Phone: (204)789-3766 Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930 _______________________________________________ htdig-general mailing list To unsubscribe, send a message to with a subject of unsubscribe FAQ: http://htdig.sourceforge.net/FAQ.html