[Mapbender-commits] r7619 - in trunk/mapbender: conf http/php
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Thu Feb 17 03:13:58 EST 2011
Author: armin11
Date: 2011-02-17 00:13:58 -0800 (Thu, 17 Feb 2011)
New Revision: 7619
Modified:
trunk/mapbender/conf/mapbender.conf-dist
trunk/mapbender/http/php/mod_callMetadata.php
trunk/mapbender/http/php/mod_getWmcDisclaimer.php
trunk/mapbender/http/php/tagCloud.php
Log:
Give a whitelist for hostName which is given from one webservice to another. If the whitelist is not defined, $_SERVER['HTTP_HOST'] is used instead.
Modified: trunk/mapbender/conf/mapbender.conf-dist
===================================================================
--- trunk/mapbender/conf/mapbender.conf-dist 2011-02-17 07:01:31 UTC (rev 7618)
+++ trunk/mapbender/conf/mapbender.conf-dist 2011-02-17 08:13:58 UTC (rev 7619)
@@ -37,13 +37,13 @@
# --------------------------------------------
define("LOGIN", "http://localhost/mapbender/frames/login.php");
$login = LOGIN;
-
-# --------------------------------------------
-# MAXLOGIN - this parameter is not in use anymore, but still needed for compatibility
-# --------------------------------------------
-define("MAXLOGIN", 3);
# --------------------------------------------
+# MAXLOGIN - this parameter is not in use anymore, but still needed for compatibility
+# --------------------------------------------
+define("MAXLOGIN", 3);
+
+# --------------------------------------------
# URL to owsproxy
# (no terminating slash)
# --------------------------------------------
@@ -169,6 +169,13 @@
# --------------------------------------------
#define("SESSION_NAME", "MAPBENDER");
+
+#---------------------------------------------
+# HOSTNAME WHITELIST
+# The whitelist is used for some modules who generate urls from a given hostName GET parameter. In such a case it is usefull to give a whitelist for security reasons! If no hostName is given, the parameter $_SERVER['HTTP_HOST'] is used for the urls!
+#---------------------------------------------
+define("HOSTNAME_WHITELIST", "");
+
# --------------------------------------------
# Calculate bboxes for all supported SRS (Postgis needed)
# This module will compute bboxes for all srs which will be found in the service capabilities and which are defined
Modified: trunk/mapbender/http/php/mod_callMetadata.php
===================================================================
--- trunk/mapbender/http/php/mod_callMetadata.php 2011-02-17 07:01:31 UTC (rev 7618)
+++ trunk/mapbender/http/php/mod_callMetadata.php 2011-02-17 08:13:58 UTC (rev 7619)
@@ -238,14 +238,18 @@
$outputFormat = $testMatch;
$testMatch = NULL;
}
+//TODO give requesting hostname to this script
+//script check if request param hostname is in whitelist - when not it will be $_SERVER['HTTP_HOST']
if (isset($_REQUEST["hostName"]) & $_REQUEST["hostName"] != "") {
$testMatch = $_REQUEST["hostName"];
- if (!($testMatch == 'www.geoportal.rlp' or $testMatch == 'www.geoportal.rlp.de' or $testMatch == 'geoportal.rlp' or $testMatch == '10.7.101.151' or $testMatch == 'localhost:16580' or $testMatch == 'localhost' or $testMatch == 'www.gdi-rp-dienste3.rlp.de' )){
- echo 'hostName: <b>'.$testMatch.'</b> is not valid.<br/>';
- die();
- }
- $hostName = $testMatch;
- $testMatch = NULL;
+ if (isset(HOSTNAME_WHITELIST) & HOSTNAME_WHITELIST != '') {
+ if (!in_array($testMatch,explode(',',HOSTNAME_WHITELIST))){
+ echo 'hostName: <b>'.$testMatch.'</b> is not valid.<br/>';
+ die();
+ }
+ $hostName = $testMatch;
+ $testMatch = NULL;
+ }
}
if (isset($_REQUEST["orderBy"]) & $_REQUEST["orderBy"] != "") {
$testMatch = $_REQUEST["orderBy"];
Modified: trunk/mapbender/http/php/mod_getWmcDisclaimer.php
===================================================================
--- trunk/mapbender/http/php/mod_getWmcDisclaimer.php 2011-02-17 07:01:31 UTC (rev 7618)
+++ trunk/mapbender/http/php/mod_getWmcDisclaimer.php 2011-02-17 08:13:58 UTC (rev 7619)
@@ -33,14 +33,17 @@
$testMatch = NULL;
}
//TODO give requesting hostname to this script
+//script check if request param hostname is in whitelist - when not it will be $_SERVER['HTTP_HOST']
if (isset($_REQUEST["hostName"]) & $_REQUEST["hostName"] != "") {
$testMatch = $_REQUEST["hostName"];
- if (!($testMatch == 'www.geoportal.rlp' or $testMatch == 'www.geoportal.rlp.de' or $testMatch == 'geoportal.rlp' or $testMatch == '10.7.101.165' or $testMatch == '10.7.101.151' or $testMatch == 'localhost' or $testMatch == 'www.gdi-rp-dienste3.rlp.de' )){
- echo 'hostName: <b>'.$testMatch.'</b> is not valid.<br/>';
- die();
- }
- $hostName = $testMatch;
- $testMatch = NULL;
+ if (isset(HOSTNAME_WHITELIST) & HOSTNAME_WHITELIST != '') {
+ if (!in_array($testMatch,explode(',',HOSTNAME_WHITELIST))){
+ echo 'hostName: <b>'.$testMatch.'</b> is not valid.<br/>';
+ die();
+ }
+ $hostName = $testMatch;
+ $testMatch = NULL;
+ }
}
$e = new mb_exception("mod_getWmcDisclaimer.php: requested wmc id: ".$_REQUEST["id"]);
//
Modified: trunk/mapbender/http/php/tagCloud.php
===================================================================
--- trunk/mapbender/http/php/tagCloud.php 2011-02-17 07:01:31 UTC (rev 7618)
+++ trunk/mapbender/http/php/tagCloud.php 2011-02-17 08:13:58 UTC (rev 7619)
@@ -72,20 +72,20 @@
}
//
+//TODO give requesting hostname to this script
+//script check if request param hostname is in whitelist - when not it will be $_SERVER['HTTP_HOST']
if (isset($_REQUEST["hostName"]) & $_REQUEST["hostName"] != "") {
- //validate to some hosts
$testMatch = $_REQUEST["hostName"];
- if (!($testMatch == 'www.geoportal.rlp' or $testMatch == 'www.geoportal.rlp.de' or $testMatch == 'www.gdi-rp-dienste3.rlp.de' or $testMatch == '10.7.101.151')){
- echo 'hostName: <b>'.$testMatch.'</b> is not a valid server of gdi-rp.<br/>';
- die();
- }
- $hostName = $testMatch;
- $testMatch = NULL;
+ if (isset(HOSTNAME_WHITELIST) & HOSTNAME_WHITELIST != '') {
+ if (!in_array($testMatch,explode(',',HOSTNAME_WHITELIST))){
+ echo 'hostName: <b>'.$testMatch.'</b> is not valid.<br/>';
+ die();
+ }
+ $hostName = $testMatch;
+ $testMatch = NULL;
+ }
}
-
-
-
if ($outputFormat == 'json'){
$classJSON = new Mapbender_JSON;
}
More information about the Mapbender_commits
mailing list