<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Sans Serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Moving to just mapserver-dev… I’m guessing Thomas is traveling, bummer. I suppose we could look at the instances and see if there really is value in returning
the user value and then make the decision on approach.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Even Rouault [mailto:even.rouault@spatialys.com]
<br>
<b>Sent:</b> Monday, August 07, 2017 11:14 AM<br>
<b>To:</b> mapserver-dev@lists.osgeo.org<br>
<b>Cc:</b> Lime, Steve D (MNIT) <steve.lime@state.mn.us>; Jeff McKenna <jmckenna@gatewaygeomatics.com>; mapserver-users@lists.osgeo.org<br>
<b>Subject:</b> Re: [mapserver-dev] [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS (mapcache)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">On lundi 7 août 2017 15:20:01 CEST Lime, Steve D (MNIT) wrote:<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> I'd favor the more simple and safer approach. It's not that difficult for<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> the user to validate the layers requested against the GetCapabilties<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> response. MapServer itself does not return the name of the invalid layer,<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> presumably for the exact same reason. Instead you get<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> "msWMSLoadGetMapParams(): WMS server error. Invalid layer(s) given in the<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> LAYERS parameter. A layer might be disabled for this request. Check<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> wms/ows_enable_request settings.".<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">Agreed. I guess Jeff's remark was perhaps if the client software sends a lot of requests and it is not very convenient
to match the responses with the queries which have been fired. For a single request, re-emitting the value in the response exception doesn't bring much, because the user knows what it has requested.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> Even, would you be willing to prepare a patch?<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">I can. I would have been interested in hearing Thomas' opinion, but given the period of the year he might not been reading
us.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">I've researched how to safely "escape" arbitrary user data input for inclusion inside <-- --> markers, but couldn't
find any solid reference (probably rejeting "--" should be sufficient ?). As there's one function per protocol where error messages are formatted, the sanitizing could potentially be centralized there, which would reduce the amount of changes. The simpler
approach I talked about is simpler indeed but requires to identify all the places where a user value is returned in an error message ( mostly grepping for a "%s" in a set_error() call ) : not hard, but with a slight chance of missing something.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">Even<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">--
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">Spatialys - Geospatial professional services<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif"><a href="http://www.spatialys.com">http://www.spatialys.com</a><o:p></o:p></span></p>
</div>
</body>
</html>