Gossamer Forum
(Advanced Search)
for
Home : Products : Gossamer Links : Discussions :

Search results. Bug?

Feb 28, 2007, 5:34 PM
SaraBem
Novice (27 posts)
Feb 28, 2007, 5:34 PM
Post #1 of 2
Views: 1618
Shortcut
Quote Reply
Search results. Bug?
Hi all,
I started designing the new website for a company that uses the GL and noticied that virtually ANY query will be handled. I visited some other sites and they all have same problem: if you search for "a" (single letter) you basically get the whole database, no protection at all. This means you can get the full database of links with any wget or LWP script!
Is there a way to prevent this besides modifying search.cgi?
As a temporary solution I did the following (just in case someone is also concerned):

Code:
use strict;
use lib '/var/www/yoursite/cgi-bin/admin';
use Links qw/$CFG/;
use Links::User::Search;

my %in;
&getvars;
my $entra = $in{'query'};

if (($entra) && length($entra) < 3 ){
print("Location: http://www.yoursite.com\n\n");
}
else {

local $SIG{__DIE__} = \&Links::fatal;

Links::init('/var/www/yoursite/cgi-bin/admin');
Links::init_user();

if (GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'check_request', \&Links::check_request)) {
GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'handle_search', \&Links::User::Search::handle);
}


}

sub getvars {
if ($ENV{QUERY_STRING}) {
for (split /\&/, $ENV{QUERY_STRING}) {
my($key, $val) = split /=/;
$val =~ s/%([0-9a-fA-F]{2})/chr(hex($1))/ge;
$val =~ s/[^\w_-]//g;
$in{$key} = $val;
}
}
}

Yep I entered stop_words and checked Search.pm for 3 minimum but GL just ignore them!

Another way to get ALL LINKS from a site: search for "http:". You get it all.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Blondies can have brains (sometimes...)
Feb 28, 2007, 6:57 PM
brewt
Staff (4101 posts)
brewt's avatar
Feb 28, 2007, 6:57 PM
Post #2 of 2
Views: 1543
Shortcut
Quote Reply
Re: [SaraBem] Search results. Bug? In reply to
I personally don't think that's too big of a problem, since they could just crawl your site and get everything that way as well.

The search behaviour itself varies depending on what search indexing you are using. It sounds like you're using the NONINDEXED indexing scheme which just does a "WHERE Description LIKE '%query%'". Using the MySQL indexing scheme will result in having a restriction of a minimum search term length of 3 or more. Take a look at the manual (downloadable from the user download area) for more details on the difference indexing schemes.

If you still want to put restrictions on the search terms look into writing a plugin that does the check before the search code actually runs. Doing this as a plugin allows you to upgrade later without having to re-integrate your modifications.

Adrian