[sword-devel] diatheke security
Chris Little
chrislit at crosswire.org
Wed Feb 7 04:04:34 MST 2007
I don't really recommend using diatheke as anything but a demo/sample
app. It's out of date, ill-maintained, and was never that good to begin
with. If you're setting up a Bible site, I would suggest trying to use
the BibleTool.
That said, your best means of really securing web-executed diatheke use
is to make sure that the user (e.g. apache) doesn't have permission to
do anything more than necessary. In other words, don't give it
permissions to execute programs like ls/rm/mv.
As it stands, the diatheke CGI script does two things:
1) It quotes the search box text, as Daniel said.
2) It escapes quote marks from the search box text. (See the
shell_escape function in the CGI script.)
So [';ls /etc] in the search box will execute [diatheke -b KJV -s phrase
-k 'Jesus\'; ls /etc'], which is neither interesting nor a security issue.
--Chris
Linas S. wrote:
> Hello,
>
> I try to make online Bible script using diatheke. I got problem- security.
> Users can put everything in a search box on the web page, e.g.:
> Jesus;ls /etc
> If I run such the command:
> diatheke -b KJV -s phrase -k Jesus; ls /etc
> I will get list of /etc directory.
> I could check user input for characters other than letters a - z, but
> users can enter Greek text or Hebrew.
> Is here any "safe" way of using diatheke?
>
> Regards,
>
> Linas S.
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
More information about the sword-devel
mailing list