Require validation for CGI queryfile parameter (#4874).

MapServer · Feb 24, 2014 · 88ec351 · 88ec351
1 parent 05ff84f
commit 88ec351
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/HISTORY.TXT b/HISTORY.TXT
@@ -15,6 +15,8 @@ For a complete change history, please see the Git log comments.
 7.0 release (TBD)
 -----------------
 
+- Require validation on the CGI queryfile parameter. (#4874)
+
 - Apply RFC86 scaletoken substitutions to layer->PROCESSING entries
 
 - RFC108 Heatmap / Kernel-Density Layers

diff --git a/mapservutil.c b/mapservutil.c
@@ -363,6 +363,10 @@ int msCGILoadForm(mapservObj *mapserv)
 
     if(strcasecmp(mapserv->request->ParamNames[i],"queryfile") == 0) {
       mapserv->QueryFile = msStrdup(mapserv->request->ParamValues[i]);
+      if(msValidateParameter(mapserv->QueryFile, msLookupHashTable(&(mapserv->map->web.validation), "queryfile"), NULL, NULL, NULL) != MS_SUCCESS) {
+        msSetError(MS_WEBERR, "Parameter 'queryfile' value fails to validate.", "mapserv()");
+        return MS_FAILURE;
+      }
       continue;
     }