[mapserver-dev] Re: MapServer security issue

Steve Lime steve.lime at dnr.state.mn.us
Sat Nov 9 18:02:56 EST 2002 

I've been thinking about this more and have one more idea. Why not use
the same mechanism that is already used to limit access to only .map or
the various template extensions? That is, use a regular expression to
limit access via scripting to DATA or TEMPLATE values. I'd propose
adding DATAPATTERN and FILEPATTERN options to the map object and using
those to validate changes to DATA or the various templates
(TEMPLATE/FOOTER/HEADER/...). Without those expressions you wouldn't
allow access.

One other way to deal with the HTML issue would be to create a template
extension (ala .map) and not use something like .html or .xml. That
would have a larger impact than the idea above. We should add that
anyway for future considerations (i.e. just expand the current
expression to support something like .mat or whatever.

Any comments?

Steve

Stephen Lime
Data & Applications Manager

Minnesota DNR
500 Lafayette Road
St. Paul, MN 55155
651-297-2937
>>> Jan Hartmann <jhart at frw.uva.nl> 11/06/02 06:49 AM >>>
Another approach could be to look for the origin of the calling URL. If 
that has same as the HTTP-address as the MapServer CGI, everything could

be allowed. If not, no scripting should be possible. Javascript uses the

same sort of security: if you load a webpage into a subframe of your 
browser, the other frames can only modify (or even read) its variables 
if it comes from the same server; else it can only be displayed. You can

use the "document.domain" variable to widen the number of permitted
hosts.

I wouldn't like to have a totally unscriptable "DATA" statement. It is 
very usable when having lots of data files with only minor differences. 
Without scripting "DATA" you would have to produce immense MapFiles. Of 
course everything can be done be MapScript, but many applications don't 
need all that horse power. Besides, many peope aren't able or permitted 
to use PHP or Perl on their server.

A last argument for keeping MapServer CGI as scriptable as possible is 
the power of the new W3C JavaScript/DOM standard. You can produce 
complete client-side Web applications (even for IE) without using any 
HTML at all, just using the DOM interface. I have found this a very 
valuable addition to MapServer's Perl/PHP/Java scripting.

Jan Hartmann

More information about the mapserver-dev mailing list