PDA

View Full Version : Security update breaks sites that call the search function from another directory


pittster
01-15-2004, 07:30 AM
Hey everyone,

If you use the function to display the results and add the following lines at the top of the script:

// prevent remote command execution
if ((isset($relative_script_path)) &&
($relative_script_path != ".") &&
($relative_script_path != "..")) {
exit();
}

and you are running the function from a directory other than the phpdig directory, your script will break.

Be sure to add "&&($relative_script_path != "../your_relative_script_path")" to the end of that if statement.

Charter
01-15-2004, 08:29 AM
Hi. Yes, thanks. If you modified PhpDig paths, then you'll need to change/add to the if statement to fit your paths as pittster posted.

ZAP
01-19-2004, 05:22 PM
Just a quick tip:

If you're having trouble figuring out the correct value to add for your $relative_script_path (as I was), you can first change the security patch code to the following:

// prevent remote command execution
if ((isset($relative_script_path)) &&
($relative_script_path != ".") &&
($relative_script_path != "..")) {
echo $relative_script_path; exit();
}

Do a search and you will see what the proper path should be. Then IMMEDIATELY delete the "echo $relative_script_path;" and add your custom path to the IF statement as explained above. Only do this if you're having trouble getting phpDig to work after you add this security patch and you're not sure what your $relative_script_path is.

In my case, I had installed phpDig so long ago that I no longer remembered what I'd customized...

Charter
01-19-2004, 05:30 PM
Hi, thanks. Also, PhpDig version 1.8.0 is about to be released so if you want the same structure as was had before, you'll need to make the same such changes in the new version.

When verison 1.8.0 is released, it is highly recommended to update and, of course, watch these boards and, if you've registered, watch your email for security updates.