Verify/enhance security for runtime substitutions...
Man, I swear I already added this bug. Anyway, basically I think we need to
make sure that runtime substitutions are not a big security hole. We only
support a few but allowing unfiltered substitution is likely dangerous. There
is no way to say only integers allowed. While I don't believe there has ever
been an exploit there is the potential for buffer overruns (less likely) or SQL
injection when substituting into a WHERE clause for one of the databases.
I don't know that there is one set of filtering that we could implement that
would work in all cases. Rather I think we need to allow for adhoc filtering
via regular expressions.
One idea might be to allow users to define filters based on variable names in a
layer metadata section. For example, let's say you have an expression like:
EXPRESSION ('[ID]' eq '%myid%')
so 'myid' is being passed into MapServer. Then you might set metadata like:
METADATA
myid_pattern '[0-9]{5,10}?'
...
END
Which would restrict the value of 'myid' to a number between 5 and 10
characters long.
Implementation would be pretty simple, impacting only a small portion of
mapserv.c
Steve
Change History
(7)
Component: |
MapServer CGI → MapServer Documentation
|
Owner: |
changed from sdlime to jmckenna
|
Status: |
assigned → new
|
Milestone: |
→ 5.0.3 release
|
Description: |
modified (diff)
|
Milestone: |
→ 5.6 release
|
Milestone: |
5.6 release
|
Resolution: |
→ invalid
|
Status: |
new → closed
|