[mapserver-dev] [gdal-dev] New env. var. to make it easier to test/debug web services
Daniel Morissette
dmorissette at mapgears.com
Thu Oct 2 13:34:52 PDT 2014
On 14-10-02 4:25 PM, Even Rouault wrote:
>
> I didn't change this. They are currently enabled conditionaly. I'm not sure
> why. Perhaps for security reasons, since they imply reading a file (-t),
> overriding the temporary directory (-tmpbase), creating a file (MS_ERRORFILE) ?
>
> /* Keep only "-v", "-nh" and "QUERY_STRING=..." enabled by default.
> * The others will require an explicit -DMS_ENABLE_CGI_CL_DEBUG_ARGS
> * at compile time.
> */
>
Yes, that was for security reasons. I forget the exact details, but that
was done when we discovered that one of the command-line args could
potentially be remotely exploited via CGI:
https://github.com/mapserver/mapserver/issues/3485
Daniel
--
Daniel Morissette
T: +1 418-696-5056 #201
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000
More information about the mapserver-dev
mailing list