<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
<pre>Thanks Steve. I don't understand the syntax: in the regex versions I use, "." means "one and just one character", not any string.
Any string excluding the null-string would be ".+" or "..*"
More generally, I still have problems with validation as a concept: it's too difficult, and perhaps that's why it isn't documented.
I have postings about this subject in my personal mapserver-dev mail-archive dating from 2002
(couldn't find them on the official site any more), and there still isn't a clear solution almost ten years later.
IMHO the major security risk of MapServer CGI is that it gives access to the filesystem outside the web-root. Wouldn't it be better to keep security at that level,
i.e. only let MapServer access explicitly defined parts of the filesystem? Within these parts, it's up to the web-site builder to put only those things that should be
visible and nothing else. You don't put an ultra-secret document on the web and afterward restrict access to portions only, you just put there what you want to show
to the world. Same goes for validations on extent or styles: just make your selections of what you want to show "before" you let MapServer loose on it.
The same story can be told for database access and restrictions on SQL queries: IMHO that is a matter for the database system.
It's easy enough to put everything behind barriers with user privileges and views. Why should mapserver double all that security?
Any competent database administrator should know how to prevent SQL injects,
and MapServer should not be there to protect those who are unable to.
I've been working with Cloud VM's for about a year now, and in that environment many security problems disappear: just make small, dedicated
servers and interconnect them, e.g. with cascading services.
So my view would be: let the Operating System and the Database do everything needed to secure files and databases, and put in your web services only afterwards.
It all gets too complex with all those interconnected securities at all levels of the system (my main problem with Apache).
In the last ressort: KISS (Keep It Simple Steve (whoever)) :-)
Jan
-------------------------------------------------------------------------------------
On 04/28/11 18:48, Steve Woodbridge wrote
Hi Jan,
I do not think there is a global OFF switch for validation, but where
validation is required you can include the regex validation string of
/./ which means match anything except a null string, or to also accept a
null string then use /.*/
You still need to be aware of when you should put a validation in place
even if it accepts any string.
Regards,
-Steve W
</pre>
<br>
<br>
On 04/28/11 18:48, Jan Hartmann wrote:
<blockquote cite="mid:4DB99A76.2090503@uva.nl" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<font face="Times New Roman, Times, serif">I find the whole
validation issue difficult and not well documented (<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://trac.osgeo.org/mapserver/ticket/3754">http://trac.osgeo.org/mapserver/ticket/3754</a>,
last updated four hours ago). How do I put all validation off? I
really don need that much security.<br>
<br>
Jan<br>
</font><br>
On 04/28/11 18:19, Lime, Steve D (DNR) wrote:
<blockquote
cite="mid:A7F7B3043D3BF0438F1206BAA3C9933C0831A523C2@MNMAIL05.ead.state.mn.us"
type="cite">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);">I see the problem, just not sure
how to fix it. Steve W. provided some possibilities but
that’s probably not the only approach. It would be helpful
if some interested person(s) got together and drafted an
RFC. I think the devs would be in a position to help
define implementation details if the problem is well
defined along with a proposed solution.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);">Steve<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div style="border-width: 1pt medium medium; border-style:
solid none none; border-color: rgb(181, 196, 223)
-moz-use-text-color -moz-use-text-color; padding: 3pt 0in
0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family:
"Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family:
"Tahoma","sans-serif";"> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:mapserver-users-bounces@lists.osgeo.org">mapserver-users-bounces@lists.osgeo.org</a>
[<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:mapserver-users-bounces@lists.osgeo.org">mailto:mapserver-users-bounces@lists.osgeo.org</a>]
<b>On Behalf Of </b>Rahkonen Jukka<br>
<b>Sent:</b> Thursday, April 28, 2011 4:21 AM<br>
<b>To:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:mapserver-users@lists.osgeo.org">mapserver-users@lists.osgeo.org</a><br>
<b>Subject:</b> [mapserver-users] Validation beyond
[A-z]<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;
font-family: "Arial","sans-serif";
color: blue;">Hi,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;
font-family: "Arial","sans-serif";
color: blue;">Validation is nowadays needed in quite a
many places in a mapfile. However, we who live outside
the English speaking world tend to have more characters
in the alphabet than A to Z. This makes the mapfile
validation idea only half effective because for making
things to work at all with the native data we must
accept almost everything that is non-numeric with
wildcards. Are there others who think that this is a
problem?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;
font-family: "Arial","sans-serif";
color: blue;">Stephen Woodbidge commented slightly this
topic in another thead a month ago (Mar 29, 2011)</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;
font-family: "Arial","sans-serif";
color: blue;"><a moz-do-not-send="true"
href="http://lists.osgeo.org/pipermail/mapserver-users/2011-March/068307.html">http://lists.osgeo.org/pipermail/mapserver-users/2011-March/068307.html</a></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;
font-family: "Arial","sans-serif";
color: blue;">-Jukka Rahkonen-</span><o:p></o:p></p>
</div>
</div>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
mapserver-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:mapserver-users@lists.osgeo.org">mapserver-users@lists.osgeo.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.osgeo.org/mailman/listinfo/mapserver-users">http://lists.osgeo.org/mailman/listinfo/mapserver-users</a>
</pre>
</blockquote>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
mapserver-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mapserver-users@lists.osgeo.org">mapserver-users@lists.osgeo.org</a>
<a class="moz-txt-link-freetext" href="http://lists.osgeo.org/mailman/listinfo/mapserver-users">http://lists.osgeo.org/mailman/listinfo/mapserver-users</a>
</pre>
</blockquote>
</body>
</html>