On Wed, Jun 06, 2007 at 09:01:16AM -0400, John R. Frank wrote: > Hi Lorenzo, > > > > an extensive list you could test against is available at > > > http://www.microimages.com/wmscatalog/request.cgi? > > > > an important issue I did not answered before to Ludwig: " I suggest that > > people can also type in their own WMS layer URL" This would be cool but > > there's a a major problem: I'm using the default OL proxy.cgi where you > > need to subscribe by hand all "allowed" servers. There's no clean way, > > actually, to add a user server on the fly to CGI internal list without > > creating a security hole. suggestions are welcome > > Right now, a hardcoded list in the script is a simple way to restrict > fetches only to servers with OGC services, so miscreants cannot use the > server running the proxy to hide.
Note that we've already built a 'saferproxy' -- one which does testing of content-types to determine whether the requests are 'safe' based on a list of allowed content types, and uses memcached-based request logging to track bad requests, so that abusers are banned from the service for 24 hours. Schuyler wrote the code for the openlayers.org domain, so once the code is in trunk, the WMSManager will be able to use that. In testing, Lorenzo, you can probably modify your local proxy.cgi so that it just allows anything (allowedHosts = None ought to do it), develop against that, and then I'll try and get the saferproxy up into the dev.openlayers.org host space. (I tried this before and failed. I'll try again.) So, this is a problem with code already in existence: I'm just not really in the business of maintaining proxies, so we haven't yet spent any time documenting/supporting this particular case. > Perhaps some of the simpler backends in FeatureServer provide some > cut&paste material for making such a stateful proxy. Nope. Nothing in FeatureServer will help here. Regards, -- Christopher Schmidt MetaCarta _______________________________________________ Dev mailing list [email protected] http://openlayers.org/mailman/listinfo/dev
