[mapserver-users] New limitations with mapserver 5 CGI

Steve Lime Steve.Lime at dnr.state.mn.us
Thu Jul 10 15:13:03 PDT 2008


Hi Graeme: Comments inline... I definitely underestimated the impacts of those
changes. Anyway...

>>> On 7/9/2008 at 11:23 PM, in message
<1215663787.2513.112.camel at bongolx.ringo.net>, Graeme Watmuff
<gwatmuff at geographicweb.com.au> wrote:
> It has become apparent through some frustrating moments of trial and
> error that many of the mapfile variables that were changeable via URL
> with mapserver 4.10.x CGI seem no longer changeable with v5.x or 5.2.x.
> There is a hint from the docs that this is because of security concerns?
> Our java apps don't allow web users to directly interact with the CGI,
> so security doesn't seem so important in our case.

Allowing unaltered, direct modification of things like FILTERs or CONNECTIONS
is a potential security risk although I've never run across a documented case. Filters
are risky because they are passed to the underlying data driver which generally
trust the contents.

> Some examples:
> 
> map_web_metadata='text1' 'text2'
> map_layerName_filter=<expression>
> map_layerName_tileindex=<tileindex.shp>
> map_layerName_data=<datasource>
> 
> allow changes to the mapfile via URL with mapserver 4.10.x
> 
> Following the new syntax specified for v5 + I had expected
> 
> map_web=metadata+"'text1' 'text2'" or maybe
> map_web_metadata[0]='text1'+'text2',
> map_layer[layerName]=filter+<expression>,
> map_layer[layerName]=tileindex+<tileindex.shp>,
> map_layer[layerName]=data+<datasource>
> 
> to all perform in the time-honoured way.

And they don't... If they did you could combine modifications to a layer in a single 
variable:

  map_layer[layerName]=filter+<expression>+tileindex+<tileindex.shp>+data+<datasource>

> Only 'data' could be changed with this new mapserver 5 syntax. I
> happened to discover through the change logs that changing tileindex was
> reinstated for mapserver 5 CGI, but using the old mapserver 4.10 syntax
> (map_layerName_tileindex)=<tileindex.shp> - not the new mapserver 5
> syntax style (map_layer[layerName]=tileindex+<tileindex.shp>).

Looking at the code, TILEINDEX is not changable via a URL with any syntax. The
change log references a bug fix to 4.10. The old syntax doesn't work at all.

> mapserv 5 CGI throws an error (Parsing error near (filter)) when the new
> syntax is used for filter and ignores the old 4.10 filter syntax.

This is expected. It will fail with an error as opposed to the silent failure of versions
past.

> No URL syntax for changing the web object's metadata content appears
> acceptable to the mapserver 5. 

Correct.

> I would dearly like to see changing the layer filter via URL restored
> also to mapserver 5. And the web object's metadata setting functionality
> too.

It's possible to customize this behavior by editing maplexer.l and recompiling
the code. Simply find the keyword you're interested in supporting and change
the states at which it is valid. So, for TILEINDEX:

<INITIAL>tileindex 

becomes:

<INITIAL,URL_STRING>tileindex

Same goes for the other parameters you'd want to activate.

> Can anyone indicate what mapfile properties are or are not going to be
> reinstated in mapserver 5 compared to mapserver 4 for change via URL?
> Obviously this has development ramifications for us when we try to
> upgrade mapserver.

If I (or anyone) can think of a way to make this tunable at runtime I'd love
to talk more about it. The set of parameters supported in 5.2 has only changed
a little bit since 5.0 based on user input. I can't see exposing more without
good reason. FILTER in particular is worrisome and there is a work around with
the runtime substitution (e.g. FILTER %someval%). In that example you can
pass someval via URL but you have to define a validation pattern (a regex) to
check it against.
 
> Alternatively, am I missing something with new mapserver 5 syntax?

I'm curious if updating maplexer.l to fit your particular needs is workable.

> Graeme Watmuff

Steve




More information about the MapServer-users mailing list