[Xapian-devel] Omega changes

Olly Betts olly at survex.com
Fri Dec 24 14:57:06 GMT 2004


On Fri, Dec 24, 2004 at 12:24:14PM +0100, Arjen van der Meijden wrote:
> As a bit of a side-step. I think those that use omega as a middle-end, 
> instead of a front-end application will be very pleased with a 
> commandline switch to specify the omega.conf-location. (some 
> --conf=-like parameter)
> 
> We would be pleased at least. And the creators of the React forum 
> software, who have incorporated omega as the search-backend, as well.
> 
> It allows for much easier process opening, since you won't have to toy 
> around with annoying not-entirely-or-clearly-working cwd's and stuff. If 
> the cgi-environment allows that command line switch to be set as well, 
> it'd also solve all your problems ;) But I don't know enough about cgi 
> to know whether that is possible.

Command line arguments can be passed to a CGI invocation, but not in a
good way...

> Of course, the command-line switch should not be allowed to be set 
> through the request-parameters.

An ISINDEX style query is turned into command line arguments to the
called program:

http://hoohoo.ncsa.uiuc.edu/cgi/cl.html

Now omega only tries to parse command line parameters if REQUEST_METHOD
isn't set, which I believe it should be for any invocation via CGI.  But
this defence hinges on REQUEST_METHOD getting set correctly by a third party
program (whatever web server is in use).  And that makes me a little
nervous.  What if an attacker fills up the space for the environment and
the web server fails to check the return error code from setenv() when
is tries to set REQUEST_METHOD?  What if they can prevent it being set
in some other way (especially as ISINDEX seems a less used corner of CGI)?

With Richard's proposed changes, you'd be able to set an environmental
variable to point to the omega.conf you want to use.  So instead of:

omega --conf=/path/to/omega.conf

You can use:

XAPIAN_OMEGA_CONF=/path/to/omega.conf omega

(Or set XAPIAN_OMEGA_CONF in the environment if the invoking isn't
through a shell).

Cheers,
    Olly




More information about the Xapian-devel mailing list