Opened 7 years ago
Closed 6 years ago
#762 closed task (fixed)
Windows file select helper
Reported by: | darius | Owned by: | Olly Betts |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | Other | Version: | |
Severity: | normal | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Operating System: | All |
Description
Hi, I setup Xapian Omega for some small businesses and created a simple powershell script to allow Omega to create special links that would open Windows Explorer and highlight the file.
It does require access via SMB with the same paths as searching returns but I think for this type of use case (ie indexing a small business file store) it's pretty common.
The code is at https://github.com/DanielO/OmegaLink
I was also wondering about writing a Wiki article but I can't see how to create a page :)
Change History (4)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
Thanks for the reminder - I did wonder about that but then forgot to check.
I enabled some logging and I see this..
Opening '
foofoo" evil "'
When passed omegalink:foo%22%20evil%20%22 so I think it is safe due to the quotes (so a Powershell guru assures me anyway..) If I put a literal space in (eg "omegalink://foo bar") then it gets passed through correctly.
With respect to the Wiki I ended up writing it up as a file in my Github repo - https://github.com/DanielO/OmegaLink/blob/master/USAGE.md
comment:3 by , 6 years ago
I created a wiki page showing how I used it.. https://trac.xapian.org/wiki/XapianOmegaSmallBiz
comment:4 by , 6 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Type: | enhancement → task |
We sorted out trac permissions and there's now a wiki page created, so closing.
I'm not familiar with this scripting language, but is the quoting of
$filename
here safe?E.g. if an attacker tricks a user into clicking on a URL which contains double quotes, e.g. something like
omegalink:foo%22%20evil%20%22
. Maybe you can't cause explorer to do anything nasty even if you can break out of the quotes though.We disabled WIKI_CREATE permission by default as it was getting abused by spammers and isn't something that random users usually want to do. We're happy to enable it on request from legitimate users though (I've added you to the whitelist).