<div dir="ltr"><div dir="ltr">See my last response to Even... In terms of the config file I think we could consider things like setting a global value for ms_enable_modes. I can see that being helpful for admins as a way to, for example, turn off traditional CGI processing site-wide.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 17, 2021 at 3:56 PM Jeff McKenna <<a href="mailto:jmckenna@gatewaygeomatics.com">jmckenna@gatewaygeomatics.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Steve,<br>
<br>
How does your 'opt-in' thoughts impact the proposed config file for 8.0? <br>
(<a href="https://github.com/sdlime/mapserver/wiki/MapServer-8.0-Config-File" rel="noreferrer" target="_blank">https://github.com/sdlime/mapserver/wiki/MapServer-8.0-Config-File</a>) <br>
Put another way: I believe that the methods that you mention below are <br>
very confusing/difficult for users, and I'm wondering if we can instead <br>
make this simpler for users.<br>
<br>
-jeff<br>
<br>
<br>
<br>
On 2021-05-17 2:58 p.m., Steve Lime wrote:<br>
> Hi all: MapServer has a number of ways to enable/disable CGI-based <br>
> functionality. For example the /ows_enable_request/ metadata (RFC 67), <br>
> the /ms_enable_modes/ metadata (RFC 90) or the immutable validation <br>
> value associated with runtime changes (RFC 44). The latter doesn't seem <br>
> to be particularly well documented so folks probably don't know it's <br>
> possible. Of these methods, only ows_enable_request requires users to <br>
> opt in - you have to explicitly allow OWS services. The other methods <br>
> require users to opt out. I think we should think about changing that in <br>
> 8.0 and require explicit configuration by default, so:<br>
> <br>
> 1. Require /ms_enable_modes/ be set before handling native MapServer<br>
> CGI requests or at least set a more limited default than all modes.<br>
> 2. Consider objects as immutable by default and require users to<br>
> explicitly configure that at the object-level by adding. Would<br>
> probably need to extend the VALIDATION block to a few other objects<br>
> such as scalebars, reference maps and legends. The necessary changes<br>
> are otherwise not extensive.<br>
> <br>
> Note that I consider run-time substitutions as already being explicit <br>
> since 1) validation is required and 2) users must denote substitution <br>
> strings as appropriate. Thoughts?<br>
> <br>
> --Steve<br>
> <br>
> <br>
> <br>
> _______________________________________________<br>
> mapserver-dev mailing list<br>
> <a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
> <a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><br>
> <br>
<br>
<br>
-- <br>
Jeff McKenna<br>
GatewayGeo: Developers of MS4W, MapServer Consulting and Training<br>
co-founder of FOSS4G<br>
<a href="http://gatewaygeo.com/" rel="noreferrer" target="_blank">http://gatewaygeo.com/</a><br>
_______________________________________________<br>
mapserver-dev mailing list<br>
<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><br>
</blockquote></div></div>