[MapServer-dev] RFC 138 - Reference SLD files in Mapfiles
Rahkonen Jukka
jukka.rahkonen at maanmittauslaitos.fi
Mon Feb 12 12:21:31 PST 2024
Hi,
The paragraph about security concerns says "MapServer already accepts SLD from remote URLs and client requests, so local SLD files shouldn't cause any concerns."
It could be "shouldn't cause any new concerns". We may already have some, for example when the SLD contains external graphics.
<sld:ExternalGraphic>
<sld:OnlineResource xmlns:xlink="http://www.w3.org/1999/xlink" xlink:type="simple" xlink:href="http://127.0.0.1/svg2.svg" />
<sld:Format>image/svg</sld:Format>
</sld:ExternalGraphic>
I think I have heard that this can be used for XXE injections. Geoserver has nowadays a configuration option for defining a whitelist https://docs.geoserver.org/stable/en/user/production/config.html#external-entities-resolution
-Jukka Rahkonen-
-----Alkuperäinen viesti-----
Lähettäjä: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> Puolesta Seth G via MapServer-dev
Lähetetty: lauantai 10. helmikuuta 2024 1.04
Vastaanottaja: MapServer Devs <mapserver-dev at lists.osgeo.org>
Aihe: [MapServer-dev] RFC 138 - Reference SLD files in Mapfiles
Hi all,
I've added a new RFC - MS RFC 138: Reference SLD files in Mapfiles at https://mapserver.org/development/rfc/ms-rfc-138.html
This would allow SLD files to be referenced in a Mapfile using the STYLEITEM (similar to how JS files are referenced):
LAYER
STYLEITEM "sld://mysldfile.xml" # uses SHAPEPATH and if not set then relative path to the Mapfile or absolute path
CLASS # define an empty CLASS here
END
END
It will make it easier to export Mapfiles from other application such as QGIS, and to share styles e.g. between MapServer and GeoServer. More details are in the RFC.
Feedback and comments appreciated.
I'll start with my +1,
Seth
--
web:https://geographika.net/ & https://mapserverstudio.net/
twitter: @geographika
_______________________________________________
MapServer-dev mailing list
MapServer-dev at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-dev
More information about the MapServer-dev
mailing list