[mapserver-dev] News on MapServer SLD and MapCache

jbo-ads jbo-ads at laposte.net
Wed Dec 18 05:47:01 PST 2019

Le 17/12/2019 à 19:35, Stephen Woodbridge a écrit :
> If I understand your concern about dimensions using path, is that 
> somehow the dimension will get used as part of the path the mapcache 
> uses to locate files. So a crafty user might submit a request with a 
> dimension to access other files on the server. This would require 
> sanitizing the dimension in some way to make sure it is legitimate and 
> not bogus.
> Few few things come to mind:
> 1. don't allow it at all
> 2. allow it in a restricted way such as:
>     i. make all paths relative to a root_dimension_path variable 
> configure in mapcache.xml
>    ii. don't allow '../' in the dimension paths
> 3. in mapcache.xml provide a feature to allow dimension to path 
> mapping, so user requests never supply the path directly only the 
> dimension and you look up the path in the map or throw an error if the 
> dimension if not valid.
> Of the three, I think 3. is probably the safest and probably keeps the 
> code fairly simple.
> For example you could have a dimension and path like:
> foo#bar#baz   ->  foo/bar.baz
> or whatever.
> -Steve W

Thank you Steve for your valuable advice, it confirm my first thoughts.

Indeed dimension values are used as parts of the path to choose among 
several caches thanks to the templating feature of cache configuration 

About your three points, 1. is what is implemented now and what should 
be changed.

2.i. is already implemented without a specific parameter: In the example 
given in the linked document, "/path/to" can be seen as what you call 
root_dimension_path. So no need of further developments here.

2.ii. is one of the changes that I thought of. I will certainly 
implement it.

3. In the context of my activities, implementation involves second level 
dimensions (see 
This means that the user supplies a keyword in the &DIM= part of its 
request. This keyword is then used by MapCache to query a dimension 
database which in turn provides one or more cache paths. I presume that 
as long as the dimension database and the mapcache.xml configuration 
file are kept in safe places, then the security risk is avoided. 
Therefore all I need to do as a developer is to limit path usage in 
dimensions to second level dimensions only.


More information about the mapserver-dev mailing list