[mapserver-users] RE: Validation beyond [A-z]

Lime, Steve D (DNR) steve.lime at state.mn.us
Fri Apr 29 14:59:52 EDT 2011 

"." is a pattern that says the string contains at least one character, it's a wild card so that's why anything matches. Granted, regex's aren't easy to use but you can accomplish a lot with very simple patterns, plus I've not seen or been presented with a better idea.

Validation is (and will be) pushed for a couple of reasons:


-          To keep users from making poor decisions by forcing them to explicitly make (and think about) them

-          To try and limit unintended uses (we could go much further here)

Not everyone is risk aware and I feel a responsibility to try and help users limit risk. I suppose the lack of documentation doesn't support that last statement but we can fix that.  Without validation efforts there's potentially an inherent assumption that the rest of the codebase is insecure. We've made mistakes and take the topic seriously.

That said, I'm not adverse to a "no validation" switch as long as it's off by default, file a ticket...

Steve


From: Jan Hartmann [mailto:j.l.h.hartmann at uva.nl]
Sent: Friday, April 29, 2011 5:38 AM
To: woodbri at swoodbridge.com
Cc: Lime, Steve D (DNR); mapserver-users at lists.osgeo.org; Rahkonen Jukka
Subject: Re: [mapserver-users] RE: Validation beyond [A-z]


Thanks Steve. I don't understand the syntax: in the regex versions I use, "." means "one and just one character", not any string.

Any string excluding the null-string would be ".+" or "..*"



More generally, I still have problems with validation as a concept: it's too difficult, and perhaps that's why it isn't documented.

I have postings about this subject in my personal mapserver-dev mail-archive dating from 2002

(couldn't find them on the official site any more), and there still isn't a clear solution almost ten years later.



IMHO the major security risk of MapServer CGI is that it gives access to the filesystem outside the web-root. Wouldn't it be better to keep security at that level,

i.e. only let MapServer access explicitly defined parts of the filesystem? Within these parts, it's up to the web-site builder to put only those things that should be

visible and nothing else. You don't put an ultra-secret document on the web and afterward restrict access to portions only, you just put there what you want to show

to the world. Same goes for validations on extent or styles: just make your selections of what you want to show "before" you let MapServer loose on it.



The same story can be told for database access and restrictions on SQL queries: IMHO that is a matter for the database system.

It's easy enough to put everything behind barriers with user privileges and views. Why should mapserver double all that security?

Any competent database administrator should know how to prevent SQL injects,

and MapServer should not be there to protect those who are unable to.



I've been working with Cloud VM's for about a year now, and in that environment many security problems disappear: just make small, dedicated

servers and interconnect them, e.g. with cascading services.



So my view would be: let the Operating System and the Database do everything needed to secure files and databases, and put in your web services only afterwards.

It all gets too complex with all those interconnected securities at all levels of the system (my main problem with Apache).



In the last ressort: KISS (Keep It Simple Steve (whoever)) :-)



Jan





-------------------------------------------------------------------------------------



On 04/28/11 18:48, Steve Woodbridge wrote



Hi Jan,



I do not think there is a global OFF switch for validation, but where

validation is required you can include the regex validation string of

/./ which means match anything except a null string, or to also accept a

null string then use /.*/



You still need to be aware of when you should put a validation in place

even if it accepts any string.



Regards,

   -Steve W


On 04/28/11 18:48, Jan Hartmann wrote:
I find the whole validation issue difficult and not well documented (http://trac.osgeo.org/mapserver/ticket/3754, last updated four hours ago). How do I put all validation off? I really don need that much security.

Jan

On 04/28/11 18:19, Lime, Steve D (DNR) wrote:
I see the problem, just not sure how to fix it. Steve W. provided some possibilities but that's probably not the only approach. It would be helpful if some interested person(s) got together and drafted an RFC. I think the devs would be in a position to help define implementation details if the problem is well defined along with a proposed solution.

Steve

From: mapserver-users-bounces at lists.osgeo.org<mailto:mapserver-users-bounces at lists.osgeo.org> [mailto:mapserver-users-bounces at lists.osgeo.org] On Behalf Of Rahkonen Jukka
Sent: Thursday, April 28, 2011 4:21 AM
To: mapserver-users at lists.osgeo.org<mailto:mapserver-users at lists.osgeo.org>
Subject: [mapserver-users] Validation beyond [A-z]

Hi,

Validation is nowadays needed in quite a many places in a mapfile.  However, we who live outside the English speaking world tend to have more characters in the alphabet than A to Z.  This makes the mapfile validation idea only half effective because for making things to work at all with the native data we must accept almost everything that is non-numeric with wildcards. Are there others who think that this is a problem?

Stephen Woodbidge commented slightly this topic in another thead a month ago (Mar 29, 2011)
http://lists.osgeo.org/pipermail/mapserver-users/2011-March/068307.html

-Jukka Rahkonen-



_______________________________________________

mapserver-users mailing list

mapserver-users at lists.osgeo.org<mailto:mapserver-users at lists.osgeo.org>

http://lists.osgeo.org/mailman/listinfo/mapserver-users





_______________________________________________

mapserver-users mailing list

mapserver-users at lists.osgeo.org<mailto:mapserver-users at lists.osgeo.org>

http://lists.osgeo.org/mailman/listinfo/mapserver-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapserver-users/attachments/20110429/0ffed55d/attachment-0001.html

More information about the mapserver-users mailing list