[MapServer-dev] RFC 138 - Reference SLD files in Mapfiles

Seth G sethg at geographika.co.uk
Mon Feb 12 12:47:43 PST 2024 

Hi Jukka,

Yes, I'll update to say "any new concerns".
That particular issue though I believe has already been addressed through external graphics validation added in MapServer 7.0 - see https://mapserver.org/MIGRATION_GUIDE.html#mapserver-6-4-to-7-0-migration

WEB
  VALIDATION
    "sld_external_graphic" "^.*/sld/data/.*"
  END
  
See also the discussion in https://mapserver.org/development/rfc/ms-rfc-124.html

Seth
--
web:https://geographika.net & https://mapserverstudio.net
twitter: @geographika

On Mon, Feb 12, 2024, at 9:21 PM, Rahkonen Jukka wrote:
> Hi,
>
> The paragraph about security concerns says "MapServer already accepts 
> SLD from remote URLs and client requests, so local SLD files shouldn't 
> cause any concerns."
> It could be "shouldn't cause any new concerns". We may already have 
> some, for example when the SLD contains external graphics.
> <sld:ExternalGraphic>
>               <sld:OnlineResource 
> xmlns:xlink="http://www.w3.org/1999/xlink" xlink:type="simple" 
> xlink:href="http://127.0.0.1/svg2.svg" />
> <sld:Format>image/svg</sld:Format>
> </sld:ExternalGraphic>
>
> I think I have heard that this can be used for XXE injections. 
> Geoserver has nowadays a configuration option for defining a whitelist  
> https://docs.geoserver.org/stable/en/user/production/config.html#external-entities-resolution
>
> -Jukka Rahkonen-
>
>
>
> -----Alkuperäinen viesti-----
> Lähettäjä: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> 
> Puolesta Seth G via MapServer-dev
> Lähetetty: lauantai 10. helmikuuta 2024 1.04
> Vastaanottaja: MapServer Devs <mapserver-dev at lists.osgeo.org>
> Aihe: [MapServer-dev] RFC 138 - Reference SLD files in Mapfiles
>
> Hi all,
>
> I've added a new RFC - MS RFC 138: Reference SLD files in Mapfiles at 
> https://mapserver.org/development/rfc/ms-rfc-138.html
> This would allow SLD files to be referenced in a Mapfile using the 
> STYLEITEM (similar to how JS files are referenced):
>
>     LAYER
>       STYLEITEM "sld://mysldfile.xml" # uses SHAPEPATH and if not set 
> then relative path to the Mapfile or absolute path
>       CLASS # define an empty CLASS here
>       END
>     END
>
> It will make it easier to export Mapfiles from other application such 
> as QGIS, and to share styles e.g. between MapServer and GeoServer. More 
> details are in the RFC.
> Feedback and comments appreciated.
>
> I'll start with my +1,
>
> Seth
>
> --
> web:https://geographika.net/ & https://mapserverstudio.net/
> twitter: @geographika
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev

More information about the MapServer-dev mailing list