RFC 31: Loading MapServer Objects from Strings

Daniel Morissette dmorissette at MAPGEARS.COM
Fri Jun 15 11:32:05 EDT 2007


Steve Lime wrote:
> There is a comment on security in the RFC. The current code severely hobbles what can and
> cannot be changed via URL. The RFC proposes doing the same.
> 

I saw that, but there may be combinations of parameters that seem safe 
at first sight and that could be used remotely in a harmful way. 
Security flaws are not in stuff the developer could think of, I think 
most of the time they happen in areas of the software where the 
developers didn't think there might be a problem otherwise.

It's for the reasons we cannot think of today that I wanted to suggest 
that URL updates be disabled by default, to protect all those who don't 
care or don't know about this feature... and those who choose to enable 
the feature explicitly in their mapfile would have to understand that by 
doing so they accept a potential security risk.

> Note that runtime substitutions probably pose a bigger threat. I added a pattern matching 
> capability to 4.10 to help with that so a developer could, say, limit values to a 3 digit integer.
> 

Agreed runtime %var% substitution can be dangerous, but at least it's 
not enabled by default and without the user knowing about it: it kicks 
in only *if* someone uses it and chooses to assume the risk. (Actually 
does the doc make any mention of the potential risk in using this feature?)

> We need a security how-to...
> 

Agreed... and all those potential risks should be documented there.

Daniel
-- 
Daniel Morissette
http://www.mapgears.com/



More information about the mapserver-dev mailing list