<div>Hi Daniel & All,</div><div><br></div><div>I've updated RFC-90 to follow the concept mentioned. </div><div><br></div><div><a href="http://mapserver.org/development/rfc/ms-rfc-90.html" target="_blank">http://mapserver.org/development/rfc/ms-rfc-90.html</a></div>
<div><br></div><div>Here is a commit containing the proposed changes according to the recent version:</div><div><a href="https://github.com/szekerest/mapserver/commit/5d7ec08292e4b790d219082f7ea6ced83fc5c336" target="_blank">https://github.com/szekerest/mapserver/commit/5d7ec08292e4b790d219082f7ea6ced83fc5c336</a></div>
<div><br></div><div>Since I'm using msOWSParseRequestMetadata to implement the logic behind ms_enable_modes, the concept of defining the conditions is pretty much the same as for ows_enable_request.</div><div><br></div>
<div>ms_enable_modes for LAYER and further sophisticated ideas cannot be included to this RFC due to the limits of the available budget and the upcoming deadlines.</div><div><br></div><div>Let me know if you have further comments.</div>
<div><br></div><div>Best regards,</div><div><br></div><div>Tamas</div><div><br></div><div><br></div><br><br><div class="gmail_quote">2013/2/19 Daniel Morissette <span dir="ltr"><<a href="mailto:dmorissette@mapgears.com" target="_blank">dmorissette@mapgears.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello again,<br>
<br>
I just realized that my suggestion to implement full support for ms_enable_modes with all the flexibility provided by ows_enable_requests might be quite a bit more work that you have available in your budget, so perhaps a compromise would be to simply implement the following at the map-level:<br>
<br>
"ms_enable_modes" "*" # Enable all CGI modes<br>
<br>
or<br>
<br>
"ms_enable_modes" "!*" # Block all CGI modes<br>
<br>
This would be sufficient to allow someone using ows_allowed/denied_ip_list to disable use of the CGI modes, and would leave open the possibility to implement full support for the same logic as ows_enable_requests down the road when one has time/funding to do it.<span><font color="#888888"><br>
<br>
Daniel</font></span><div><div><br>
<br>
<br>
<br>
On 13-02-19 11:20 AM, Daniel Morissette wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 13-02-15 12:43 PM, Tamas Szekeres wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Devs,<br>
<br>
I've prepared an RFC including most of the suggestions received with<br>
regards to this addition.<br>
<a href="http://mapserver.org/development/rfc/ms-rfc-90.html" target="_blank">http://mapserver.org/<u></u>development/rfc/ms-rfc-90.html</a><br>
<br>
Let me know if you have further things to be taken into account before<br>
calling a vote on it.<br>
<br>
<br>
</blockquote>
<br>
Hi Tamas,<br>
<br>
A few questions/comments:<br>
<br>
- It is not clear if setting ows_allowed_ip_list implicitly means that<br>
all addresses are blocked, and then only the specified addresses are<br>
enabled, and vice-versa that setting ows_denied_ip_list means that any<br>
address has access by default, except for those listed in the deny list.<br>
I believe this is the implied behavior, but if yes then I think that<br>
should be made clear, and perhaps some examples provided with<br>
explanation of the corresponding behavior.<br>
<br>
- Is it possible to set both ows_allowed_ip_list and ows_denied_ip_list<br>
and if yes in this case which one takes precedence? Or do they interact<br>
with each other (i.e. Could I block a range of IPs with the deny list<br>
and then open up specific workstation addresses with the allow list? or<br>
the reverse: open up a range of IP addresses with the allow list and<br>
block a subset with the deny list?)<br>
<br>
<br>
- With respect to the ms_disable_modes, I don't like a logic where we<br>
need to explicitly list what we block. I prefer the other way around<br>
where we list what we enable to reduce the risk of leaving open holes in<br>
your server configuration.<br>
<br>
Actually, perhaps one way to deal with this would be to switch to a<br>
"ms_enable_modes" and use the same kind of logic as ows_enable_requests,<br>
with "!*" meaning disable all, and "!MAP" meaning disable MAP mode, and<br>
then allowing the use of ms_enable_modes at the layer-level as well.<br>
<br>
e.g.<br>
<br>
MAP<br>
WEB<br>
METADATA<br>
# Block all CGI modes except MAP and LEGEND<br>
"ms_enable_modes" "!* MAP LEGEND"<br>
...<br>
END<br>
...<br>
END<br>
...<br>
END<br>
<br>
using inheritance one could then block all modes at the top-level and<br>
re-enable a given mode only for specific layers:<br>
<br>
MAP<br>
WEB<br>
METADATA<br>
# Block all CGI modes by default for this mapfile<br>
"ms_enable_modes" "!*"<br>
...<br>
END<br>
...<br>
END<br>
<br>
LAYER<br>
METADATA<br>
# Enable MAP and LEGEND requests for this layer<br>
"ms_enable_modes" "MAP LEGEND"<br>
END<br>
...<br>
END<br>
END<br>
<br>
or one could be more open by default and selectively disable some<br>
requests at the layer level:<br>
<br>
MAP<br>
WEB<br>
METADATA<br>
# Open up ALL CGI modes by default for this mapfile<br>
"ms_enable_modes" "*"<br>
...<br>
END<br>
...<br>
END<br>
<br>
LAYER<br>
METADATA<br>
# But allow only MAP requests on this layer<br>
"ms_enable_modes" "!* MAP"<br>
END<br>
...<br>
END<br>
END<br>
<br>
<br>
</blockquote>
<br>
<br>
-- <br>
Daniel Morissette<br>
<a href="http://www.mapgears.com/" target="_blank">http://www.mapgears.com/</a><br>
Provider of Professional MapServer Support since 2000<br>
<br>
______________________________<u></u>_________________<br>
mapserver-dev mailing list<br>
<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank">http://lists.osgeo.org/<u></u>mailman/listinfo/mapserver-dev</a><br>
</div></div></blockquote></div><br>