RFC 31: Loading MapServer Objects from Strings
Steve Lime
Steve.Lime at DNR.STATE.MN.US
Fri Jun 15 11:20:33 EDT 2007
There is a comment on security in the RFC. The current code severely hobbles what can and
cannot be changed via URL. The RFC proposes doing the same.
Note that runtime substitutions probably pose a bigger threat. I added a pattern matching
capability to 4.10 to help with that so a developer could, say, limit values to a 3 digit integer.
We need a security how-to...
Steve
>>> On 6/15/2007 at 7:47 AM, in message <46728A4F.5060104 at mapgears.com>, Daniel
Morissette <dmorissette at MAPGEARS.COM> wrote:
> Umberto Nicoletti wrote:
>> Steve,
>> I am wondering if these features pose any security risk. Specifically
>> I am thinking about sql injection for database layers, but there could
>> be other issues (maybe not directly related to these features, but
>> made easier to exploit by them) like buffer overflows etc.
>>
>
> Good point. I have always been wondering the same about the URL update
> mechanisms in the past.
>
> Perhaps while we're at it the URL update could be disabled by default
> and enabled by a mapfile parameter. At least this way those who are not
> aware of this mechanism (or don't use it) would not leave their apps
> open by default.
>
> Daniel
More information about the mapserver-dev
mailing list