Skip to main content.
home | support | download

Back to List Archive

Announce: Swish-e 2.4.0 pre release 1 / Security Update

From: Bill Moseley <moseley(at)not-real.hank.org>
Date: Thu May 22 2003 - 05:21:13 GMT
I just uploaded to http://swish-e.org/Download/ Swish-e version 2.4.0-pr1 source
package.

I found a potential cross-site scripting bug in the swish.cgi script.
One of the highlighting modules was reporting to the swish.cgi script that
text was HTML escaped when it wasn't.  What that means is that if you are 
indexing untrusted documents and using swish.cgi that it's possible that 
someone could trick swish.cgi into displaying HTML markup when it shouldn't.

It's a minor risk, in my opinion, but I wanted to make the fix available as
soon as possible, which is in this new version.  There's no plan on updating
the existing 2.2.x version at this time because 2.4.0 should be released
very soon.  I can offer a patch to swish.cgi and the highlighting modules if
needed for the 2.2 version.

Otherwise: 2.4.0 has a number of large changes.  Make sure you review the 
CHANGES before installing:

  http://swish-e.org/dev/docs/CHANGES.html#Version_2_4_0_

Here's the big ones:

1) The C library API has changed.  The SWISHE module has been replaced by 
SWISH::API.  There is an interface SWISHE module available at:

  http://swish-e.org/Download/old/SWISHE-0.03.tar.gz

SWISHE-0.03.tar.gz is a pure-perl module that provides an old "SWISHE.pm"
interface to the new API. I do not recommend using that unless you have to. 
If you do use it let me know.  It's been a while since I tried it.

We will probably remove the SWISH::API module from the Swish-e distribution 
and provide it as a separate download before the final 2.4.0 version is 
released.  But for now it's included in the distribution.

2) The build system now uses Libtool and Automake.  That's mostly 
a transparent change that includes:

 - Swish-e now uses Libtool to build a shared library on most platforms.  
   Use configure --disable-shared if your platform chokes when 
   building Swish-e.

 - You can build Swish-e outside the source directory.  I guess
   that's the GNU recommend way.  Not very exciting, yes, I know.

 - Make install installs a lot more now.  Documentation is 
   installed in $prefix/share/doc/swish-e.  Helper perl modules are 
   installed and the programs that use them (namely spider.pl and 
   swish.cgi) know how to find them.

3) The SWISH::Filter modules are also installed and are setup to work by 
default with -S prog and spider.pl.  What that means is you can have a 
config file like:

   IndexDir spider.pl
   SwishPropParameters default http://localhost/

and run

   swish-e -S prog -c c

and swish-e will know how to find spider.pl, and spider.pl will use 
SWISH::Filter to filter documents.  If you want to start indexing PDF files 
just install the Xpdf package.  To install MS Word docs, just install 
catdoc.  Swish-e will see that the programs are installed and begin to index
PDF and Word docs.

This feature doesn't quite work yet on Windows, but will soon.


There's still a bit of documentation work to do before 2.4.0 is finally
released.  Mostly relating to the above changes.  I have rewritten the 
README and INSTALL docs (some of you know my editing skills!).  The point of 
INSTALL (and also README) it to introduce Swish-e to new users, so it would 
be very helpful to have someone that has just learned swish look them over 
and provide feedback.

Docs for this pre-release can be found at:

  http://swish-e.org/dev/docs/

Testing, patches and corrections of this pre-release are welcome, of course.


-- 
Bill Moseley
moseley@hank.org
Received on Thu May 22 05:21:18 2003