[MapServer-dev] RFC 138 - Reference SLD files in Mapfiles

Rahkonen Jukka jukka.rahkonen at maanmittauslaitos.fi
Mon Feb 12 12:21:31 PST 2024


The paragraph about security concerns says "MapServer already accepts SLD from remote URLs and client requests, so local SLD files shouldn't cause any concerns."
It could be "shouldn't cause any new concerns". We may already have some, for example when the SLD contains external graphics.
              <sld:OnlineResource xmlns:xlink="http://www.w3.org/1999/xlink" xlink:type="simple" xlink:href="" />

I think I have heard that this can be used for XXE injections. Geoserver has nowadays a configuration option for defining a whitelist  https://docs.geoserver.org/stable/en/user/production/config.html#external-entities-resolution

-Jukka Rahkonen-

-----Alkuperäinen viesti-----
Lähettäjä: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> Puolesta Seth G via MapServer-dev
Lähetetty: lauantai 10. helmikuuta 2024 1.04
Vastaanottaja: MapServer Devs <mapserver-dev at lists.osgeo.org>
Aihe: [MapServer-dev] RFC 138 - Reference SLD files in Mapfiles

Hi all,

I've added a new RFC - MS RFC 138: Reference SLD files in Mapfiles at https://mapserver.org/development/rfc/ms-rfc-138.html
This would allow SLD files to be referenced in a Mapfile using the STYLEITEM (similar to how JS files are referenced):

      STYLEITEM "sld://mysldfile.xml" # uses SHAPEPATH and if not set then relative path to the Mapfile or absolute path
      CLASS # define an empty CLASS here

It will make it easier to export Mapfiles from other application such as QGIS, and to share styles e.g. between MapServer and GeoServer. More details are in the RFC.
Feedback and comments appreciated.

I'll start with my +1,


web:https://geographika.net/ & https://mapserverstudio.net/
twitter: @geographika
MapServer-dev mailing list
MapServer-dev at lists.osgeo.org

More information about the MapServer-dev mailing list