RFC 31: Loading MapServer Objects from Strings
Daniel Morissette
dmorissette at MAPGEARS.COM
Fri Jun 15 08:47:11 EDT 2007
Umberto Nicoletti wrote:
> Steve,
> I am wondering if these features pose any security risk. Specifically
> I am thinking about sql injection for database layers, but there could
> be other issues (maybe not directly related to these features, but
> made easier to exploit by them) like buffer overflows etc.
>
Good point. I have always been wondering the same about the URL update
mechanisms in the past.
Perhaps while we're at it the URL update could be disabled by default
and enabled by a mapfile parameter. At least this way those who are not
aware of this mechanism (or don't use it) would not leave their apps
open by default.
Daniel
--
Daniel Morissette
http://www.mapgears.com/
More information about the mapserver-dev
mailing list