Re: [mapserver-users] RE: Validation beyond [A-z]

Fri, 29 Apr 2011 03:38:33 -0700 

Thanks Steve. I don't understand the syntax: in the regex versions I use, "." means 
"one and just one character", not any string.
Any string excluding the null-string would be ".+" or "..*"

More generally, I still have problems with validation as a concept: it's too 
difficult, and perhaps that's why it isn't documented.
I have postings about this subject in my personal mapserver-dev mail-archive 
dating from 2002
(couldn't find them on the official site any more), and there still isn't a 
clear solution almost ten years later.

IMHO the major security risk of MapServer CGI is that it gives access to the 
filesystem outside the web-root. Wouldn't it be better to keep security at that 
level,
i.e. only let MapServer access explicitly defined parts of the filesystem? 
Within these parts, it's up to the web-site builder to put only those things 
that should be
visible and nothing else. You don't put an ultra-secret document on the web and 
afterward restrict access to portions only, you just put there what you want to 
show
to the world. Same goes for validations on extent or styles: just make your selections of 
what you want to show "before" you let MapServer loose on it.

The same story can be told for database access and restrictions on SQL queries: 
IMHO that is a matter for the database system.
It's easy enough to put everything behind barriers with user privileges and 
views. Why should mapserver double all that security?
Any competent database administrator should know how to prevent SQL injects,
and MapServer should not be there to protect those who are unable to.

I've been working with Cloud VM's for about a year now, and in that environment 
many security problems disappear: just make small, dedicated
servers and interconnect them, e.g. with cascading services.

So my view would be: let the Operating System and the Database do everything 
needed to secure files and databases, and put in your web services only 
afterwards.
It all gets too complex with all those interconnected securities at all levels 
of the system (my main problem with Apache).

In the last ressort: KISS (Keep It Simple Steve (whoever)) :-)

Jan


-------------------------------------------------------------------------------------

On 04/28/11 18:48, Steve Woodbridge wrote

Hi Jan,

I do not think there is a global OFF switch for validation, but where
validation is required you can include the regex validation string of
/./ which means match anything except a null string, or to also accept a
null string then use /.*/

You still need to be aware of when you should put a validation in place
even if it accepts any string.

Regards,
   -Steve W



On 04/28/11 18:48, Jan Hartmann wrote:
I find the whole validation issue difficult and not well documented (http://trac.osgeo.org/mapserver/ticket/3754, last updated four hours ago). How do I put all validation off? I really don need that much security. 

Jan

On 04/28/11 18:19, Lime, Steve D (DNR) wrote:
I see the problem, just not sure how to fix it. Steve W. provided some possibilities but that's probably not the only approach. It would be helpful if some interested person(s) got together and drafted an RFC. I think the devs would be in a position to help define implementation details if the problem is well defined along with a proposed solution. 

Steve
*From:*mapserver-users-boun...@lists.osgeo.org [mailto:mapserver-users-boun...@lists.osgeo.org] *On Behalf Of *Rahkonen Jukka 
*Sent:* Thursday, April 28, 2011 4:21 AM
*To:* mapserver-users@lists.osgeo.org
*Subject:* [mapserver-users] Validation beyond [A-z]

Hi,
Validation is nowadays needed in quite a many places in a mapfile. However, we who live outside the English speaking world tend to have more characters in the alphabet than A to Z. This makes the mapfile validation idea only half effective because for making things to work at all with the native data we must accept almost everything that is non-numeric with wildcards. Are there others who think that this is a problem?
Stephen Woodbidge commented slightly this topic in another thead a month ago (Mar 29, 2011) 

http://lists.osgeo.org/pipermail/mapserver-users/2011-March/068307.html

-Jukka Rahkonen-


_______________________________________________
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users



_______________________________________________
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users

_______________________________________________
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users

Reply via email to