Ticket #2939 (closed defect: fixed)
msLoadQuery() does not validate file extension when loading saved query files
|Reported by:||sdlime||Owned by:||sdlime|
|Component:||MapServer C Library||Version:||unspecified|
This can be used to probe a system for files that ARE NOT present. Since any value can be passed the code will attempt to open then file and then if missing will report that that fact. The solution is to validate the file extension before accessing the file and if not ending with .qy throw an error. Basically mirroring behavior used with mapfiles.
Might also make sense to add a magic key at the top of the file for further validation.