Skip to main content.
home | support | download

Back to List Archive

Re: Insecure Indexing

From: David L Norris <dave(at)>
Date: Tue Mar 01 2005 - 19:35:52 GMT
On Tue, 2005-03-01 at 14:19 -0500, Michael Peters wrote:
>You mean an indexer that was aware of the web server's permissions? 
>Which one? Apache, IIS, Websphere, etc? Web servers can ber configured 
>in such convoluted ways that it would be difficult to just parse a conf 
>file, not to mention custom auth handlers like one would right under 
>mod_perl, and forget being able to use cookies to check if someone is 
>'logged in'.

Well, that's exactly the argument I'm making.  It's unreasonably complex
to implement the convoluted logic required for an arbitrary number of
web servers.  Rather than trying to make Swish-e understand 100
different web servers I think it would be better to implement that in a
specialized "-S prog" method script.

>Or are you asking something else that I'm just not seeing?

It's mostly just a response to the "File-level search engines should
honor the web server access control for the indexed resource."
suggestion the article makes to search engine developers.  

 David Norris
  ICQ - 412039
Received on Tue Mar 1 11:35:52 2005