Opened 12 years ago

Closed 12 years ago

#2488 closed defect (wontfix)

Specifying FILTER via URL is not enabled

Reported by: tamas Owned by: sdlime
Priority: normal Milestone: 5.0.3 release
Component: MapServer CGI Version: 5.0
Severity: normal Keywords:


Currently I cannot use &map.layer[0]=FILTER+myfilter+END

in the URL specification because of the missing maplexer definition

<INITIAL,URL_STRING>filter {return (FILTER);}

Change History (6)

comment:1 Changed 12 years ago by tamas

Milestone: 5.2 release5.0.3 release

comment:2 Changed 12 years ago by sdlime

Status: newassigned

Think this is purposeful as filters are passed directly do the underlying data source, often PostGIS, so this would be a big security hole. PostGIS does no validation. I need to look at the code though and see if I put some requirements about validation filters in place to mitigate this.


comment:3 Changed 12 years ago by dmorissette

Whatever we do I don't think this fits in the scope of a bugfix release... I suggest we push this one to 5.2

comment:4 Changed 12 years ago by tamas

May I consider the run-time substitution as a possible alternative of this, or has it got some limitation with respect to the filter parameter?

comment:5 Changed 12 years ago by sdlime

That's the workaround for setting an expression too. The runtime substitutions do have the option of setting a regex to validate the variable value against. That will work for filters as well. I think we can mark this as WONTFIX if that's ok with you.


comment:6 Changed 12 years ago by sdlime

Resolution: wontfix
Status: assignedclosed

Marking as WONTFIX since the behavior is intentional and there is a workaround...


Note: See TracTickets for help on using tickets.