[mapserver-dev] Version 8.0, more opt in and less opt out...

Even Rouault even.rouault at spatialys.com
Mon May 17 11:35:10 PDT 2021


Regarding modes, what would we do regarding OWS requests (I mean WMS, 
WCS, etc.) ? Would that be a mode that needs to be explicitly enabled ? 
I see in mapservutil.c that modeStrings[] contains OWS and WFS strings 
(which aren't documented in https://mapserver.org/fr/cgi/controls.html), 
but if the incoming request doesn't contain explicit MODE=OWS or 
MODE=WFS query parameters, mode filtering will not be triggered.

I haven't understood what you meant with "immutable validation value" 
and what would change. Some example might be useful.


Le 17/05/2021 à 19:58, Steve Lime a écrit :
> Hi all: MapServer has a number of ways to enable/disable CGI-based 
> functionality. For example the /ows_enable_request/ metadata (RFC 67), 
> the /ms_enable_modes/ metadata (RFC 90) or the immutable validation 
> value associated with runtime changes (RFC 44). The latter doesn't 
> seem to be particularly well documented so folks probably don't know 
> it's possible. Of these methods, only ows_enable_request requires 
> users to opt in - you have to explicitly allow OWS services. The other 
> methods require users to opt out. I think we should think about 
> changing that in 8.0 and require explicit configuration by default, so:
>  1. Require /ms_enable_modes/ be set before handling native MapServer
>     CGI requests or at least set a more limited default than all modes.
>  2. Consider objects as immutable by default and require users to
>     explicitly configure that at the object-level by adding. Would
>     probably need to extend the VALIDATION block to a few other
>     objects such as scalebars, reference maps and legends. The
>     necessary changes are otherwise not extensive.
> Note that I consider run-time substitutions as already being explicit 
> since 1) validation is required and 2) users must denote substitution 
> strings as appropriate. Thoughts?
> --Steve
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev

My software is free, but my time generally not.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210517/9c2f32e4/attachment.html>

More information about the mapserver-dev mailing list