[OpenLayers-Dev] WMSManager closer to beta version

Christopher Schmidt crschmidt at metacarta.com
Wed Jun 6 09:50:25 EDT 2007


On Wed, Jun 06, 2007 at 09:01:16AM -0400, John R. Frank wrote:
> Hi Lorenzo,
> 
> > > an extensive list you could test against is available at
> > > http://www.microimages.com/wmscatalog/request.cgi?
> >
> > an important issue I did not answered before to Ludwig: " I suggest that
> > people can also type in their own WMS layer URL" This would be cool but
> > there's a a major problem: I'm using the default OL proxy.cgi where you
> > need to subscribe by hand all "allowed" servers. There's no clean way,
> > actually, to add a user server on the fly to CGI internal list without
> > creating a security hole. suggestions are welcome
> 
> Right now, a hardcoded list in the script is a simple way to restrict
> fetches only to servers with OGC services, so miscreants cannot use the
> server running the proxy to hide.

Note that we've already built a 'saferproxy' -- one which does testing
of content-types to determine whether the requests are 'safe' based on a
list of allowed content types, and uses memcached-based request logging
to track bad requests, so that abusers are banned from the service for
24 hours. Schuyler wrote the code for the openlayers.org domain, so once
the code is in trunk, the WMSManager will be able to use that. In
testing, Lorenzo, you can probably modify your local proxy.cgi so that
it just allows anything (allowedHosts = None ought to do it), develop
against that, and then I'll try and get the saferproxy up into the
dev.openlayers.org host space. (I tried this before and failed. I'll try
again.) So, this is a problem with code already in existence: I'm just
not really in the business of maintaining proxies, so we haven't yet
spent any time documenting/supporting this particular case.  

> Perhaps some of the simpler backends in FeatureServer provide some
> cut&paste material for making such a stateful proxy.

Nope. Nothing in FeatureServer will help here.  

Regards,
-- 
Christopher Schmidt
MetaCarta



More information about the Dev mailing list