[mapserver-dev] Version 8.0, more opt in and less opt out...

[Steve Lime]

Hi all: MapServer has a number of ways to enable/disable CGI-based
functionality. For example the *ows_enable_request* metadata (RFC 67), the
*ms_enable_modes* metadata (RFC 90) or the immutable validation value
associated with runtime changes (RFC 44). The latter doesn't seem to be
particularly well documented so folks probably don't know it's possible. Of
these methods, only ows_enable_request requires users to opt in - you have
to explicitly allow OWS services. The other methods require users to opt
out. I think we should think about changing that in 8.0 and require
explicit configuration by default, so:

   1. Require *ms_enable_modes* be set before handling native MapServer CGI
   requests or at least set a more limited default than all modes.
   2. Consider objects as immutable by default and require users to
   explicitly configure that at the object-level by adding. Would probably
   need to extend the VALIDATION block to a few other objects such as
   scalebars, reference maps and legends. The necessary changes are otherwise
   not extensive.

Note that I consider run-time substitutions as already being explicit since
1) validation is required and 2) users must denote substitution strings as
appropriate. Thoughts?

--Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210517/015679c3/attachment.html>