[mapserver-dev] Version 8.0, more opt in and less opt out...
Even Rouault
even.rouault at spatialys.com
Mon May 17 11:35:10 PDT 2021
Steve,
Regarding modes, what would we do regarding OWS requests (I mean WMS,
WCS, etc.) ? Would that be a mode that needs to be explicitly enabled ?
I see in mapservutil.c that modeStrings[] contains OWS and WFS strings
(which aren't documented in https://mapserver.org/fr/cgi/controls.html),
but if the incoming request doesn't contain explicit MODE=OWS or
MODE=WFS query parameters, mode filtering will not be triggered.
I haven't understood what you meant with "immutable validation value"
and what would change. Some example might be useful.
Even
Le 17/05/2021 à 19:58, Steve Lime a écrit :
> Hi all: MapServer has a number of ways to enable/disable CGI-based
> functionality. For example the /ows_enable_request/ metadata (RFC 67),
> the /ms_enable_modes/ metadata (RFC 90) or the immutable validation
> value associated with runtime changes (RFC 44). The latter doesn't
> seem to be particularly well documented so folks probably don't know
> it's possible. Of these methods, only ows_enable_request requires
> users to opt in - you have to explicitly allow OWS services. The other
> methods require users to opt out. I think we should think about
> changing that in 8.0 and require explicit configuration by default, so:
>
> 1. Require /ms_enable_modes/ be set before handling native MapServer
> CGI requests or at least set a more limited default than all modes.
> 2. Consider objects as immutable by default and require users to
> explicitly configure that at the object-level by adding. Would
> probably need to extend the VALIDATION block to a few other
> objects such as scalebars, reference maps and legends. The
> necessary changes are otherwise not extensive.
>
> Note that I consider run-time substitutions as already being explicit
> since 1) validation is required and 2) users must denote substitution
> strings as appropriate. Thoughts?
>
> --Steve
>
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
--
http://www.spatialys.com
My software is free, but my time generally not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210517/9c2f32e4/attachment.html>
More information about the mapserver-dev
mailing list