[mapserver-dev] Re: MapServer security issue
Steve Lime
steve.lime at dnr.state.mn.us
Sat Nov 9 18:02:56 EST 2002
I've been thinking about this more and have one more idea. Why not use
the same mechanism that is already used to limit access to only .map or
the various template extensions? That is, use a regular expression to
limit access via scripting to DATA or TEMPLATE values. I'd propose
adding DATAPATTERN and FILEPATTERN options to the map object and using
those to validate changes to DATA or the various templates
(TEMPLATE/FOOTER/HEADER/...). Without those expressions you wouldn't
allow access.
One other way to deal with the HTML issue would be to create a template
extension (ala .map) and not use something like .html or .xml. That
would have a larger impact than the idea above. We should add that
anyway for future considerations (i.e. just expand the current
expression to support something like .mat or whatever.
Any comments?
Steve
Stephen Lime
Data & Applications Manager
Minnesota DNR
500 Lafayette Road
St. Paul, MN 55155
651-297-2937
>>> Jan Hartmann <jhart at frw.uva.nl> 11/06/02 06:49 AM >>>
Another approach could be to look for the origin of the calling URL. If
that has same as the HTTP-address as the MapServer CGI, everything could
be allowed. If not, no scripting should be possible. Javascript uses the
same sort of security: if you load a webpage into a subframe of your
browser, the other frames can only modify (or even read) its variables
if it comes from the same server; else it can only be displayed. You can
use the "document.domain" variable to widen the number of permitted
hosts.
I wouldn't like to have a totally unscriptable "DATA" statement. It is
very usable when having lots of data files with only minor differences.
Without scripting "DATA" you would have to produce immense MapFiles. Of
course everything can be done be MapScript, but many applications don't
need all that horse power. Besides, many peope aren't able or permitted
to use PHP or Perl on their server.
A last argument for keeping MapServer CGI as scriptable as possible is
the power of the new W3C JavaScript/DOM standard. You can produce
complete client-side Web applications (even for IE) without using any
HTML at all, just using the DOM interface. I have found this a very
valuable addition to MapServer's Perl/PHP/Java scripting.
Jan Hartmann
More information about the mapserver-dev
mailing list