I'd favor the more simple and safer approach. It's not that difficult for the user to validate the layers requested against the GetCapabilties response. MapServer itself does not return the name of the invalid layer, presumably for the exact same reason. Instead you get "msWMSLoadGetMapParams(): WMS server error. Invalid layer(s) given in the LAYERS parameter. A layer might be disabled for this request. Check wms/ows_enable_request settings.".
Even, would you be willing to prepare a patch? Steve -----Original Message----- From: mapserver-users [mailto:[email protected]] On Behalf Of Jeff McKenna Sent: Sunday, August 06, 2017 8:44 AM To: [email protected] Subject: Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS On 2017-08-06 8:47 AM, Even Rouault wrote: > Beste / devs, > > adding the development list in CC. > > I can confirm the issue on latest mapcache master. The vulnerabililty is the > injection of a parameter value between XML comment markers <-- --> used for > the error message. When this parameter value starts with --> it ends up the > comment part and the rest of the value is then parsed as non-comment XML. > By skimming through the code it appears there are several similar instances in > this protocol and others as well. > > I can see 2 options to fix this: > - the safer one I think: do not return the invalid parameter value in the > error message, but just the parameter name. So returning "Invalid layer name" > instead of "Invalid layer {value_of_the_LAYER_parameter}". The important > information is the name of the erroneous parameter, not its value (the user > can figure it that himself) I think users need the {value_of_the_LAYER_parameter} Without that, it is impossible to debug with a large mapfile (with or without MapCache). > - a more risky one: sanitize the value that is going to be put inside XML > comments <-- --> . So that means at least removing --> sequences, but perhaps > other things too ? > > Even > -jeff -- Jeff McKenna MapServer Consulting and Training Services http://www.gatewaygeomatics.com/ _______________________________________________ mapserver-users mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-users _______________________________________________ mapserver-users mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-users
