[sword-devel] diatheke security

Chris Little chrislit at crosswire.org
Wed Feb 7 04:04:34 MST 2007


I don't really recommend using diatheke as anything but a demo/sample 
app. It's out of date, ill-maintained, and was never that good to begin 
with. If you're setting up a Bible site, I would suggest trying to use 
the BibleTool.

That said, your best means of really securing web-executed diatheke use 
is to make sure that the user (e.g. apache) doesn't have permission to 
do anything more than necessary. In other words, don't give it 
permissions to execute programs like ls/rm/mv.

As it stands, the diatheke CGI script does two things:
1) It quotes the search box text, as Daniel said.
2) It escapes quote marks from the search box text. (See the 
shell_escape function in the CGI script.)

So [';ls /etc] in the search box will execute [diatheke -b KJV -s phrase 
-k 'Jesus\'; ls /etc'], which is neither interesting nor a security issue.

--Chris




Linas S. wrote:
> Hello,
> 
> I try to make online Bible script using diatheke. I got problem- security.  
> Users can put everything in a search box on the web page, e.g.:
> Jesus;ls /etc
> If I run such the command:
> diatheke -b KJV -s phrase -k Jesus; ls /etc
> I will get list of /etc directory.
> I could check user input for characters other than letters a - z, but  
> users can enter Greek text or Hebrew.
> Is here any "safe" way of using diatheke?
> 
> Regards,
> 
> Linas S.
> 
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page



More information about the sword-devel mailing list