[mapserver-dev] [gdal-dev] New env. var. to make it easier to test/debug web services

Daniel Morissette dmorissette at mapgears.com
Thu Oct 2 13:34:52 PDT 2014


On 14-10-02 4:25 PM, Even Rouault wrote:
>
> I didn't change this. They are currently enabled conditionaly. I'm not sure
> why. Perhaps for security reasons, since they imply reading a file (-t),
> overriding the temporary directory (-tmpbase), creating a file (MS_ERRORFILE) ?
>
>      /* Keep only "-v", "-nh" and "QUERY_STRING=..." enabled by default.
>       * The others will require an explicit -DMS_ENABLE_CGI_CL_DEBUG_ARGS
>       * at compile time.
>       */
>


Yes, that was for security reasons. I forget the exact details, but that 
was done when we discovered that one of the command-line args could 
potentially be remotely exploited via CGI:

https://github.com/mapserver/mapserver/issues/3485

Daniel
-- 
Daniel Morissette
T: +1 418-696-5056 #201
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000


More information about the mapserver-dev mailing list