Am I right that expressions could be changed by URLS in version 4 and
cannot be changed any more in version 5? In that case I would strongly
propose to reintroduce that possibility. It would break many of my
applications, and I would need to use MapScript for those. Generally I
only use CGI, because not all webservers I have to write for support
MapScript. It's really a big restriction on MapServer CGI
If there are security problems, I would like to see examples of those.
Perhaps more specific solution can be found then. Anayway, the DATA
statement is protected by the DATAPATTERN statement in the mapfile, so
if someone sets that open, he takes a risk anayway. Prohibiting changes
to expressions in that situation is overkill IMO.
Jan
Steve Lime wrote:
Expressions are not changable via URL configuration, at least not in
their entirety like
you are doing. I took a conservative approach to exposing parameters to
URL when
that support was re-written for 5.0. I was concerned that unchecked
manipulation of
expressions and filters *could* be a security problem, so that is
unavailable.
What do folks think?
Note that it is easy to re-enable. Just change line 162 in maplexer.l:
from <INITIAL>expression ...
to <INITIAL,URL_STRING>expression ...
You can also work around this using runtime substitution. Presumably
you'd write the mapfile
entry like so:
LAYER
NAME 'fastvisa'
...
CLASS
EXPRESSION ([FNR]=%myid%)
END
END
and would have a URL like ...&myid=210176493&...
The advantage here is the you make the decision to enable that level of
configuration, plus you
can apply a regex filter to the value passed in from the URL and if the
value doesn't match that
pattern then no substitution is made:
LAYER
NAME 'fastvisa'
...
METADATA
myid_validation_pattern '^\d{9}$'
END
CLASS
EXPRESSION ([FNR]=%myid%)
END
END
In this example the input value for myid must consist of exactly 9
digits.
Steve
On 8/29/2007 at 7:28 AM, in message
<[EMAIL PROTECTED]>, Lars-Göran Edholm
<[EMAIL PROTECTED]> wrote:
Hi again!
Tried with
&map.layer[fastvisa].class[0]=EXPRESSION+([FNR]=210176493)
gives the error:
loadClass(): Unknown identifier. Parsing error near
(EXPRESSION):(line 1)
with
&map.layer[fastvisa].class[0].EXPRESSION=([FNR]=210176493)
i get
loadClass(): Unknown identifier. Parsing error near (():(line 1)
Seems that there is something with Expression that is wrong.
Lars-Göran Edholm
_________________________________________________________________
Upptäck kärleken på MSN
http://match.se.msn.com/channel/index.aspx?trackingid=1002962
