[mapserver-dev] Version 8.0, more opt in and less opt out...

Daniel Morissette dmorissette at mapgears.com
Tue May 18 06:41:36 PDT 2021

FYI mode=OWS was added to deal with OGC compliance testing which 
requires the server to produce an exception in some cases if the 
SERVICE/REQUEST parameters are missing... and since MapServer falls back 
on the CGI mode by default if SERVICE/REQUESTS are not present then the 
only way we could imagine to produce that exception and be compliant was 
to add a mode=OWS vendor-specific param in the onlineresource.  More 
info here:




P.S. I'm following this thread and think it may be a good idea to have 
"more opt in and less opt out" for security reasons as long as the 
mechanism to handle this is clear and easy to understand, but I don't 
have a strong opinion on the proposed changes, that's why I'm staying quiet.

On 2021-05-18 07:58, Steve Lime wrote:
> Hi Even: I'm not sure why "OWS" and "WFS" are in that list. A mode isn't 
> required for OWS services of course and so those values must represent a 
> special case or work around.  Perhaps another dev can weigh in - it's 
> odd to see just those two values. The current setup does seem to work as 
> expected and you can effectively do things like just support WMS GetMap 
> requests and nothing else - including traditional CGI requests.  You're 
> correct that if the incoming request doesn't contain a mode then mode 
> filtering doesn't happen. In that case, if the request isn't an OWS 
> request then the mode is set to BROWSE 
> (https://github.com/MapServer/MapServer/blob/c862b04cf690091995df40139a6be77a2ff72bce/mapservutil.c#L1770 
> <https://github.com/MapServer/MapServer/blob/c862b04cf690091995df40139a6be77a2ff72bce/mapservutil.c#L1770>). 
> That value should probably be checked against ms_enable_modes again at 
> this point (https://github.com/MapServer/MapServer/issues/6323 
> <https://github.com/MapServer/MapServer/issues/6323>).
> Regarding the other area, if you have a mapfile with 5 layers and only 
> want to allow runtime changes against one of them you have to do 
> something like this for each layer you don't want touched.
>    ...
>      IMMUTABLE "any value"
>    END
> I don't think this approach makes sense and users should be 
> able/required to explicitly define what objects they want to allow 
> runtime changes to via the RFC 44 syntax. The validation "hack" doesn't 
> work very well and isn't fine grained. I think it would be much better 
> to hang a boolean "mutable" property (default = false) off objects that 
> are candidates for this sort of limited configuration and then only 
> allow changes to those explicitly set to true. The property would not 
> cascade. That way a user could limit changes to just a scalebar or to a 
> single style in a layer - and nowhere by default.
>    ...
>    MUTABLE TRUE # allow limited configuration at runtime
> --Steve
> On Mon, May 17, 2021 at 1:35 PM Even Rouault <even.rouault at spatialys.com 
> <mailto:even.rouault at spatialys.com>> wrote:
>     Steve,
>     Regarding modes, what would we do regarding OWS requests (I mean
>     WMS, WCS, etc.) ? Would that be a mode that needs to be explicitly
>     enabled ? I see in mapservutil.c that modeStrings[] contains OWS and
>     WFS strings (which aren't documented in
>     https://mapserver.org/fr/cgi/controls.html
>     <https://mapserver.org/fr/cgi/controls.html>), but if the incoming
>     request doesn't contain explicit MODE=OWS or MODE=WFS query
>     parameters, mode filtering will not be triggered.
>     I haven't understood what you meant with "immutable validation
>     value" and what would change. Some example might be useful.
>     Even
>     Le 17/05/2021 à 19:58, Steve Lime a écrit :
>>     Hi all: MapServer has a number of ways to enable/disable CGI-based
>>     functionality. For example the /ows_enable_request/ metadata (RFC
>>     67), the /ms_enable_modes/ metadata (RFC 90) or the immutable
>>     validation value associated with runtime changes (RFC 44). The
>>     latter doesn't seem to be particularly well documented so folks
>>     probably don't know it's possible. Of these methods, only
>>     ows_enable_request requires users to opt in - you have to
>>     explicitly allow OWS services. The other methods require users to
>>     opt out. I think we should think about changing that in 8.0 and
>>     require explicit configuration by default, so:
>>      1. Require /ms_enable_modes/ be set before handling native
>>         MapServer CGI requests or at least set a more limited default
>>         than all modes.
>>      2. Consider objects as immutable by default and require users to
>>         explicitly configure that at the object-level by adding. Would
>>         probably need to extend the VALIDATION block to a few other
>>         objects such as scalebars, reference maps and legends. The
>>         necessary changes are otherwise not extensive.
>>     Note that I consider run-time substitutions as already being
>>     explicit since 1) validation is required and 2) users must denote
>>     substitution strings as appropriate. Thoughts?
>>     --Steve
>>     _______________________________________________
>>     mapserver-dev mailing list
>>     mapserver-dev at lists.osgeo.org  <mailto:mapserver-dev at lists.osgeo.org>
>>     https://lists.osgeo.org/mailman/listinfo/mapserver-dev  <https://lists.osgeo.org/mailman/listinfo/mapserver-dev>
>     -- 
>     http://www.spatialys.com  <http://www.spatialys.com>
>     My software is free, but my time generally not.
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev

Daniel Morissette
Mapgears Inc
T: +1 418-696-5056 #201

More information about the mapserver-dev mailing list