<div dir="ltr"><div dir="ltr">On Wed, Jun 30, 2021 at 9:23 AM Even Rouault <<a href="mailto:even.rouault@spatialys.com">even.rouault@spatialys.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
Steve,<br>
<blockquote type="cite">
<div dir="ltr">
<div>I'm interested in what folks think about the Inja
templating/includes issues detailed in the Security
Considerations -> Template Handling section.</div>
</div>
</blockquote>
Templates are supposed to be under full control of the mapserver
administrator, and not users triggering the API, right ? So I'm not
sure what actual security issue there is.<br></div></blockquote><div><br></div><div>Correct, the location is defined by environment variable or metadata element. Just worth noting I guess.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><blockquote type="cite"><div dir="ltr"><div><span style="color:rgb(62,67,73);font-family:Arial,sans-serif;font-size:12.8px"><i><b>task:</b>
add ows_contact* information to the landing page (from the
associated values set in the mapfile)</i></span></div>
</div>
</blockquote>
Probably done per
<a href="https://github.com/MapServer/MapServer/pull/6180/commits/246e52e9884c0d83373c21afb0d45d3b9850b1dd#diff-9b6e48b47f13dba7ffabed64a2061ed7c8fe48c202ec1c7c5277b9cf95ecac86R26" target="_blank">https://github.com/MapServer/MapServer/pull/6180/commits/246e52e9884c0d83373c21afb0d45d3b9850b1dd#diff-9b6e48b47f13dba7ffabed64a2061ed7c8fe48c202ec1c7c5277b9cf95ecac86R26</a>
and
<a href="https://github.com/MapServer/MapServer/pull/6180/commits/246e52e9884c0d83373c21afb0d45d3b9850b1dd#diff-46e72d45fbe7adb5c2df20d7e4a963164b077f5505152841bdd6a2ce022ac42dR1166" target="_blank">https://github.com/MapServer/MapServer/pull/6180/commits/246e52e9884c0d83373c21afb0d45d3b9850b1dd#diff-46e72d45fbe7adb5c2df20d7e4a963164b077f5505152841bdd6a2ce022ac42dR1166</a><br>
<blockquote type="cite">
<div dir="ltr">
<div>I don't think contact information is part of the core
specification is it? I see pygeoapi does support it but is
there a standard approach...</div>
</div>
</blockquote>
<p>It is used for the /api end point and is optional.</p></div></blockquote><div>The templates basically render the JSON response you'd normally get. The landing JSON response doesn't have that contact info so we'd have to add it when f=html. If we moved the code to generate the contact info (<a href="https://github.com/sdlime/mapserver/blob/6ee5185d0a9ed1e4186ecc303b1fa4c0394e36ca/mapogcapi.cpp#L1305">https://github.com/sdlime/mapserver/blob/6ee5185d0a9ed1e4186ecc303b1fa4c0394e36ca/mapogcapi.cpp#L1305</a>) into its own function then it could used in both instances.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<p>Anyway, regarding other items in the wishlist, we should merge
the current work ASAP and deal with further changes as increments
/ tickets.<br></p></div></blockquote><div>Agreed. I'd like to call for a vote on RFC 134 and will start with a +1.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><p>
</p>
--
<pre cols="72"><a href="http://www.spatialys.com" target="_blank">http://www.spatialys.com</a>
My software is free, but my time generally not.</pre>
</div>
</blockquote></div></div>