Skip to main content.
home | support | download

Back to List Archive

Re: Swish on Windows

From: Greg Ford <greg(at)not-real.reddfish.co.nz>
Date: Sun Aug 31 2003 - 03:14:36 GMT
Hi

> > >Right now you'd end up with a screenful of
> > >dialog boxes on the server console.
> >
> > I am looking at making some changes to remove these message boxes for
> > ASP use (see my other message re compiling SwishCtl).
>
> It could use better error handling for sure.

Yes - as a non-UI ActiveX control it should probably _never_ pop up a dialog
box
- but I used dialogs extensively for debugging and never got rid of them
all.

There's a more insidious problem that if the swish-e library returns an
error
the ActiveX functions return an error value - the error value is given to
the ActiveX subsystem
rather than to the calling program this almost always causes IE to crash.

I think maybe SwishCtl should never return an error value to the ActiveX
subsystem
but rather just use the swish-e error function (getlasterror() ?).
I would have done this in SwishCtl if I'd understood earlier the nature
(severity) of ActiveX errors.

> > I would also like to be able to select a specific index file to use.
> > While this may be unsafe when used on the client side it should be
> > safe when used in an ASP script.
>[ ...]

Since building my first SwishCtl database - I've found at least two more
applications for it - so I did make modifications to do this...

> With all that rambling in mind...  What I've been pondering is to create
> a registry key for each directory where you would store index files.
> (i.e. multiple IndexLocation entries).  (Greg has implemented something
> like this but I've probably not added his patch yet.)

My modifications enabled  multiple Indexes to work but there is still a
less pressing problem. Which is that if I have multiple databases they
all have to have the same version of index files!

Currently the setup program will overwrite an older SwishCtl.dll
installation
with a more recent one. So if you have 2 CDs containing SwishCtl
databases with different versions you have to uninstall the new one before
you can use the old one....

I haven't checked whether the swish-e library has a way of checking the
version of the index files - but SwishCtl should probably do this!

>In a hosting
> environment this could be used to provide each user with their own
> SWISH-E index directory in their home directory (perhaps outside the web
> tree).  The registry entry might be their username (and only an admin
> can add entries since it's in HKLM).  Now, let's say we make IndexFiles
> a list of filenames instead of a registry key.  We set forth some simple
> index file naming rules and reject with a fatal error an IndexFiles
> argument which violates the rules.  Init might be called like this
> Init("myusername", "docs test etc").  The rules might only allow A-Z and
> maybe a single '.' in the index file names.  So, now we can specify the
> filenames within the script but they aren't arbitrary since they are
> restricted to a single directory (and our restrictive filename rules
> prevent .., ..., / type attacks).

I don't think there's much of a problem for ASPs - what the current
registry settings do is that they mean you have to have write access to
the registry to be able to add a new index/database.

There may be an issue if you want multiple we-based users to have their
own personal databases - potentially a user could access the index of
someone elses database... but if this kind of security isn't necessary
then (my) current system will work fine.

The main ActiveX issue as I see it is that as the control is scriptable -
any page you visit on the Internet could contain a reference to it -
they could then try an exploit against your computer by specifying
an index that causes your system to crash or to provide information back to
the attacker - the current code should protect against this adequately...


Greg Ford

> As I said, I know almost nothing about ActiveX and you may well have
> some way around all that.
>
> --
>  David Norris
>   http://www.webaugur.com/dave/
>   ICQ - 412039
>
Received on Sun Aug 31 03:15:07 2003