[mapserver-users] RE: Validation beyond [A-z]

Rahkonen Jukka Jukka.Rahkonen at mmmtike.fi
Fri Apr 29 08:03:27 EDT 2011 

Hi,

I am not so sure that we all are competent database administrators. Lots of us has started with tutorials like
http://www.duif.net/postgis/ and they do not tell much about fighting against SQL injection.

I consider it is good to have security settings in Mapserver. I admit they should be easy to use and well documented.

-Jukka Rahkonen-


-----Alkuperäinen viesti-----
Lähettäjä: mapserver-users-bounces at lists.osgeo.org puolesta: Jan Hartmann
Lähetetty: pe 29.4.2011 13:37
Vastaanottaja: woodbri at swoodbridge.com
Kopio: Rahkonen Jukka; mapserver-users at lists.osgeo.org
Aihe: Re: [mapserver-users] RE: Validation beyond [A-z]
 
Thanks Steve. I don't understand the syntax: in the regex versions I use, "." means "one and just one character", not any string.
Any string excluding the null-string would be ".+" or "..*"

More generally, I still have problems with validation as a concept: it's too difficult, and perhaps that's why it isn't documented.
I have postings about this subject in my personal mapserver-dev mail-archive dating from 2002
(couldn't find them on the official site any more), and there still isn't a clear solution almost ten years later.

IMHO the major security risk of MapServer CGI is that it gives access to the filesystem outside the web-root. Wouldn't it be better to keep security at that level,
i.e. only let MapServer access explicitly defined parts of the filesystem? Within these parts, it's up to the web-site builder to put only those things that should be
visible and nothing else. You don't put an ultra-secret document on the web and afterward restrict access to portions only, you just put there what you want to show
to the world. Same goes for validations on extent or styles: just make your selections of what you want to show "before" you let MapServer loose on it.

The same story can be told for database access and restrictions on SQL queries: IMHO that is a matter for the database system.
It's easy enough to put everything behind barriers with user privileges and views. Why should mapserver double all that security?
Any competent database administrator should know how to prevent SQL injects,
and MapServer should not be there to protect those who are unable to.

I've been working with Cloud VM's for about a year now, and in that environment many security problems disappear: just make small, dedicated
servers and interconnect them, e.g. with cascading services.

So my view would be: let the Operating System and the Database do everything needed to secure files and databases, and put in your web services only afterwards.
It all gets too complex with all those interconnected securities at all levels of the system (my main problem with Apache).

In the last ressort: KISS (Keep It Simple Steve (whoever)) :-)

Jan


-------------------------------------------------------------------------------------

On 04/28/11 18:48, Steve Woodbridge wrote

Hi Jan,

I do not think there is a global OFF switch for validation, but where
validation is required you can include the regex validation string of
/./ which means match anything except a null string, or to also accept a
null string then use /.*/

You still need to be aware of when you should put a validation in place
even if it accepts any string.

Regards,
    -Steve W



On 04/28/11 18:48, Jan Hartmann wrote:
> I find the whole validation issue difficult and not well documented 
> (http://trac.osgeo.org/mapserver/ticket/3754, last updated four hours 
> ago). How do I put all validation off? I really don need that much 
> security.
>
> Jan
>
> On 04/28/11 18:19, Lime, Steve D (DNR) wrote:
>>
>> I see the problem, just not sure how to fix it. Steve W. provided 
>> some possibilities but that's probably not the only approach. It 
>> would be helpful if some interested person(s) got together and 
>> drafted an RFC. I think the devs would be in a position to help 
>> define implementation details if the problem is well defined along 
>> with a proposed solution.
>>
>> Steve
>>
>> *From:*mapserver-users-bounces at lists.osgeo.org 
>> [mailto:mapserver-users-bounces at lists.osgeo.org] *On Behalf Of 
>> *Rahkonen Jukka
>> *Sent:* Thursday, April 28, 2011 4:21 AM
>> *To:* mapserver-users at lists.osgeo.org
>> *Subject:* [mapserver-users] Validation beyond [A-z]
>>
>> Hi,
>>
>> Validation is nowadays needed in quite a many places in a mapfile.  
>> However, we who live outside the English speaking world tend to have 
>> more characters in the alphabet than A to Z.  This makes the mapfile 
>> validation idea only half effective because for making things to work 
>> at all with the native data we must accept almost everything that is 
>> non-numeric with wildcards. Are there others who think that this is a 
>> problem?
>>
>> Stephen Woodbidge commented slightly this topic in another thead a 
>> month ago (Mar 29, 2011)
>>
>> http://lists.osgeo.org/pipermail/mapserver-users/2011-March/068307.html
>>
>> -Jukka Rahkonen-
>>
>>
>> _______________________________________________
>> mapserver-users mailing list
>> mapserver-users at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/mapserver-users
>
>
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-users

More information about the mapserver-users mailing list