mapserver 5 expression

Jan Hartmann j.l.h.hartmann at UVA.NL
Fri Aug 31 08:31:44 EDT 2007 

Am I right that expressions could be changed by URLS in version 4 and 
cannot be changed any more in version 5? In that case I would strongly 
propose to reintroduce that possibility. It would break many of my 
applications, and I would need to use MapScript for those. Generally I 
only use CGI, because not all webservers I have to write for support 
MapScript. It's really a big restriction on MapServer CGI

If there are security problems, I would like to see examples of those. 
Perhaps  more specific solution can be found then. Anayway, the DATA 
statement is protected by the DATAPATTERN statement in the mapfile, so 
if someone sets that open, he takes a risk anayway. Prohibiting changes 
to expressions in that situation is overkill IMO.

Jan

Steve Lime wrote:
> Expressions are not changable via URL configuration, at least not in
> their entirety like
> you are doing. I took a conservative approach to exposing parameters to
> URL when
> that support was re-written for 5.0. I was concerned that unchecked
> manipulation of
> expressions and filters *could* be a security problem, so that is
> unavailable.
> 
> What do folks think?
> 
> Note that it is easy to re-enable. Just change line 162 in maplexer.l:
> 
> from <INITIAL>expression ...
> to <INITIAL,URL_STRING>expression ...
> 
> You can also work around this using runtime substitution. Presumably
> you'd write the mapfile
> entry like so:
> 
>   LAYER
>     NAME 'fastvisa'
>     ...
>     CLASS
>         EXPRESSION ([FNR]=%myid%)
>     END
>   END
> 
> and would have a URL like ...&myid=210176493&...
> 
> The advantage here is the you make the decision to enable that level of
> configuration, plus you
> can apply a regex filter to the value passed in from the URL and if the
> value doesn't match that
> pattern then no substitution is made:
> 
>   LAYER
>     NAME 'fastvisa'
>     ...
>     METADATA
>        myid_validation_pattern   '^\d{9}$'
>     END
>     CLASS
>         EXPRESSION ([FNR]=%myid%)
>     END
>   END
> 
> In this example the input value for myid must consist of exactly 9
> digits.
> 
> Steve
> 
>>>> On 8/29/2007 at 7:28 AM, in message
> <BAY116-F20CE60F662031E0BD05A8182CC0 at phx.gbl>, Lars-Göran Edholm
> <lged_morris at HOTMAIL.COM> wrote:
>> Hi again!
>> Tried with
>> &map.layer[fastvisa].class[0]=EXPRESSION+([FNR]=210176493)
>> gives the error:
>> loadClass(): Unknown identifier. Parsing error near
> (EXPRESSION):(line 1)
>> with
>> &map.layer[fastvisa].class[0].EXPRESSION=([FNR]=210176493)
>> i get
>> loadClass(): Unknown identifier. Parsing error near (():(line 1)
>>
>> Seems that there is something with Expression that is wrong.
>> Lars-Göran Edholm
>>
>> _________________________________________________________________
>> Upptäck kärleken på MSN 
>> http://match.se.msn.com/channel/index.aspx?trackingid=1002962
>

More information about the mapserver-users mailing list