Re: [MapServer-dev] RFC 138 - Reference SLD files in Mapfiles

Mon, 12 Feb 2024 12:21:43 -0800 

Hi,

The paragraph about security concerns says "MapServer already accepts SLD from 
remote URLs and client requests, so local SLD files shouldn't cause any 
concerns."
It could be "shouldn't cause any new concerns". We may already have some, for 
example when the SLD contains external graphics.
<sld:ExternalGraphic>
              <sld:OnlineResource xmlns:xlink="http://www.w3.org/1999/xlink"; 
xlink:type="simple" xlink:href="http://127.0.0.1/svg2.svg"; />
<sld:Format>image/svg</sld:Format>
</sld:ExternalGraphic>

I think I have heard that this can be used for XXE injections. Geoserver has 
nowadays a configuration option for defining a whitelist  
https://docs.geoserver.org/stable/en/user/production/config.html#external-entities-resolution

-Jukka Rahkonen-



-----Alkuperäinen viesti-----
Lähettäjä: MapServer-dev <[email protected]> Puolesta Seth 
G via MapServer-dev
Lähetetty: lauantai 10. helmikuuta 2024 1.04
Vastaanottaja: MapServer Devs <[email protected]>
Aihe: [MapServer-dev] RFC 138 - Reference SLD files in Mapfiles

Hi all,

I've added a new RFC - MS RFC 138: Reference SLD files in Mapfiles at 
https://mapserver.org/development/rfc/ms-rfc-138.html
This would allow SLD files to be referenced in a Mapfile using the STYLEITEM 
(similar to how JS files are referenced):

    LAYER
      STYLEITEM "sld://mysldfile.xml" # uses SHAPEPATH and if not set then 
relative path to the Mapfile or absolute path
      CLASS # define an empty CLASS here
      END
    END

It will make it easier to export Mapfiles from other application such as QGIS, 
and to share styles e.g. between MapServer and GeoServer. More details are in 
the RFC.
Feedback and comments appreciated.

I'll start with my +1,

Seth

--
web:https://geographika.net/ & https://mapserverstudio.net/
twitter: @geographika
_______________________________________________
MapServer-dev mailing list
[email protected]
https://lists.osgeo.org/mailman/listinfo/mapserver-dev
_______________________________________________
MapServer-dev mailing list
[email protected]
https://lists.osgeo.org/mailman/listinfo/mapserver-dev

Reply via email to