[mapserver-dev] Re: MapServer security issue
steve.lime at dnr.state.mn.us
Fri Nov 8 15:42:10 EST 2002
I like this idea, but how to implement. I assume you'd have to look
at the referer which I thought was a bit inconsistant between
browser vendors. Thoughts?
What about a PATH variable at the LAYER level, which if defined
would limit where DATA could be found. With out a limiting PATH
we could disable changing of the DATA property. Same thing
could apply to HTML templates.
Data & Applications Manager
500 Lafayette Road
St. Paul, MN 55155
>>> Jan Hartmann <jhart at frw.uva.nl> 11/06/02 06:46AM >>>
Another approach could be to look for the origin of the calling URL. If
that has same as the HTTP-address as the MapServer CGI, everything
same sort of security: if you load a webpage into a subframe of your
browser, the other frames can only modify (or even read) its variables
if it comes from the same server; else it can only be displayed. You
use the "document.domain" variable to widen the number of permitted
I wouldn't like to have a totally unscriptable "DATA" statement. It is
very usable when having lots of data files with only minor differences.
Without scripting "DATA" you would have to produce immense MapFiles. Of
course everything can be done be MapScript, but many applications don't
need all that horse power. Besides, many peope aren't able or permitted
to use PHP or Perl on their server.
A last argument for keeping MapServer CGI as scriptable as possible is
complete client-side Web applications (even for IE) without using any
HTML at all, just using the DOM interface. I have found this a very
valuable addition to MapServer's Perl/PHP/Java scripting.
More information about the mapserver-dev