[mapserver-dev] [gdal-dev] New env. var. to make it easier to test/debug web services
Even Rouault
even.rouault at spatialys.com
Thu Oct 2 13:49:51 PDT 2014
Le jeudi 02 octobre 2014 22:34:52, Daniel Morissette a écrit :
> On 14-10-02 4:25 PM, Even Rouault wrote:
> > I didn't change this. They are currently enabled conditionaly. I'm not
> > sure why. Perhaps for security reasons, since they imply reading a file
> > (-t), overriding the temporary directory (-tmpbase), creating a file
> > (MS_ERRORFILE) ?
> >
> > /* Keep only "-v", "-nh" and "QUERY_STRING=..." enabled by default.
> >
> > * The others will require an explicit -DMS_ENABLE_CGI_CL_DEBUG_ARGS
> > * at compile time.
> > */
>
> Yes, that was for security reasons. I forget the exact details, but that
> was done when we discovered that one of the command-line args could
> potentially be remotely exploited via CGI:
>
> https://github.com/mapserver/mapserver/issues/3485
Thanks. I've updated the comment to mention that. Someone could have re-
enabled them without being aware of that.
>
> Daniel
--
Spatialys - Geospatial professional services
http://www.spatialys.com
More information about the mapserver-dev
mailing list