[UMN_MAPSERVER-USERS] mapserver 5 expression

Steve Lime Steve.Lime at DNR.STATE.MN.US
Fri Aug 31 12:16:21 EDT 2007


I think this can be a problem so your precautions are a good idea. The regex 
scrubbing I detailed in my original message is another way you can do validation
before passing the data on and I recommend using it. It's not required though
and I think it should be- that is, no substitution without a validation pattern being
defined. 

Steve

>>> John Cole <john.cole at UAI.COM> 08/31/07 10:35 AM >>>
I had asked a question about url substitution being a possible SQL injection
attack.  When I have had to do this kind of substitution in the mapfile,
I've resorted to a proxy that scrubbed the parameters, ensuring that they
are the expected type, but I would love either assurance that it isn't a
problem or for a secure solution to allow passing in parameters that are
used in sql queries.

And while expressions are processed by mapserver, it can be very easy to
want to take that same variable and put it in th SQL.  And sometimes the
people editing our mapfiles are not paranoid enough. :-)

John



Steve Lime wrote:
> 
> You are correct. Even if we re-enabled that functionality applications
> will
> break because of the syntax change in how URL configuration is handled.
> The migration guide talks about these changes.
> 
> I agree that EXPRESSIONs are not as likely to suffer from security
> problems
> although I don't like the idea of allowing it since there is no way to
> validate
> an expression without evaluating it. No security problems with that
> functionality
> have been reported. I still prefer using the runtime subs where you can
> apply
> your own checks. You can substitute entire expressions that way too.
> 
> Cc'ing mapserver-dev
> 
> Steve
> 
> 

-- 
View this message in context: http://www.nabble.com/Re%3A--UMN_MAPSERVER-USERS--mapserver-5-expression-tf4360622.html#a12428827
Sent from the Mapserver - Dev mailing list archive at Nabble.com.



More information about the mapserver-dev mailing list