RFC 31: Loading MapServer Objects from Strings
Sean Gillies
sgillies at FRII.COM
Fri Jun 15 12:27:27 EDT 2007
Steve,
Guards against mapfile injection should be provided in
msUpdateMapFromURL. I think the mapscript methods could be less secure,
user-beware.
An update method for the mapfile classes would be ideal. It's a great
match for the update method that Python dicts already have.
Sean
Steve Lime wrote:
> There is a comment on security in the RFC. The current code severely =
> hobbles what can and
> cannot be changed via URL. The RFC proposes doing the same.
>
> Note that runtime substitutions probably pose a bigger threat. I added a =
> pattern matching=20
> capability to 4.10 to help with that so a developer could, say, limit =
> values to a 3 digit integer.
>
> We need a security how-to...
>
> Steve
>
>>>> On 6/15/2007 at 7:47 AM, in message <46728A4F.5060104 at mapgears.com>, =
> Daniel
> Morissette <dmorissette at MAPGEARS.COM> wrote:
>> Umberto Nicoletti wrote:
>>> Steve,
>>> I am wondering if these features pose any security risk. Specifically
>>> I am thinking about sql injection for database layers, but there could
>>> be other issues (maybe not directly related to these features, but
>>> made easier to exploit by them) like buffer overflows etc.
>>> =20
>> =20
>> Good point. I have always been wondering the same about the URL =
> update=20
>> mechanisms in the past.
>> =20
>> Perhaps while we're at it the URL update could be disabled by default=20
>> and enabled by a mapfile parameter. At least this way those who are =
> not=20
>> aware of this mechanism (or don't use it) would not leave their apps=20
>> open by default.
>> =20
>> Daniel
>
More information about the mapserver-dev
mailing list