[GRASS-user] Use GRASS as a web-application?

Glynn Clements glynn at gclements.plus.com
Sun May 11 00:25:30 EDT 2008


Nikos Alexandris wrote:

> I am forwarding a friends question concerning GRASS' capabilities in the
> field of web-services.

One point which I would make about using GRASS as a web application:
the CGI scripts need to carefully check all user-supplied input for
sanity, because GRASS itself is extremely lax in this regard.

If you just pass user input directly as arguments to GRASS modules,
you may as well just hand out shell access to your server, because:

1. GRASS will often pass inputs directly to library functions
(including system()) without any form of validation.

2. Inputs are often copied directly to fixed-size buffers.

While we want to fix these problems, it isn't going to happen
overnight. In the meantime, the "glue" (i.e. the CGI scripts) has the
responsibility of preventing security vulnerabilities.

-- 
Glynn Clements <glynn at gclements.plus.com>


More information about the grass-user mailing list