New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added managing of SVG format in applytSLD - added thanks to Regione Toscana SITA #4842
Conversation
a clean pull request. commets referred to closed pull request: |
@@ -398,9 +399,18 @@ int msAddImageSymbol(symbolSetObj *symbolset, char *filename) | |||
symbol->full_pixmap_path = msStrdup(msBuildPath(szPath, NULL, filename)); | |||
} | |||
symbol->imagepath = msStrdup(filename); | |||
symbol->inmapfile = MS_TRUE; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should not be set. it indicates the symbol block was read from the mapfile instead of the symbolset
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ha ok... so it should be set at the parse sld level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it does not need to be set at all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probabily I didn't explain well
the context is apply a SLD to mapfile
the anomaly rise up due the fact that Mark symbol are shown in mapfile but the svg symbol not
In fact for Mark symbol, the symbol->inmapfile is set to true
mapogcsld.c:1747 - msSLDGetMarkSymbol
I'm agree that, with your explication, symbol->inmapfile = MS_TRUE shouldn't be in msAddImageSymbol, my idea is this should be done at the level of parsing the sld.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can confirm that it's not needed. The only place where it's used is when writing a mapfile to disk, and even in that use-case it is not necessary for these "shortcut" symbols.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
so, does this one actually work, I don't see any difference with the previous one you said was failing? Again, I'm not sure this should go into the 6.4 branch without a review from the devs (loading arbitrary SVG files from the internet without validation patterns (given this is SLD) seems risky. we do however do it for pixmap symbols already): @sdlime , @dmorissette , @rouault ? |
@tbonfort I didn't know that github auto update pull request... before this automatic update I saw my merge commit creating problem to travis compilation so I created a new one, sorry for the noise. about merging in 6.4 it's up to you... in this case My pull request try to solve getting svg from local so a mediate solution could be adding a control to avoid set svg if it's an url but set it if it's a local path. |
news from @sdlime , @dmorissette , @rouault ? |
I understand the security implications of this PR. I think that limiting SVG loading to local filesystem should avoid any major issue: would a patch be acceptable if so modified? |
I am also concerned by the possible security implications, but am not familiar enough with the SVG format to know if there is a real risk of injection through SVG files. On the mapserver-dev list, @sdlime suggested limiting SVG loading to local filesystem by default and adding the ability to enable the use of remote SVG or image files in SLDs using a metadata such as OWS_ALLOW_REMOTE_SLD_ASSETS, false by default. I like this suggestion. Since this is not a trivial bug fix and is actually extending a feature, I'd suggest merging to master only (and @luipir wrote that they don't need it in 6.4 anyway). |
Seems a good solution to me. |
We should probably also be disallowing the loading of remote png/gif images, as those can also be an attack vector through vulnerabilities in giflib/libpng. I also think that adding some kind of configuration to disallow remote SLD assets, or maybe even better to require a VALIDATION entry for those assets, is the correct way to go. The problem here is that this kind of change is really not a good fit for a point-release as it breaks backwards compatibility for those that were already using loading of remote images through SLD. |
I'll modify pull request avoiding load remote svg by default using compilation variable: OWS_ALLOW_REMOTE_SLD_ASSETS |
…oscana - SITA added support to svg managing creation of SYMBOL for each svg symbol and setting MS_SYMBOL_SVG removed unused inlude added check in case externalGraphic svg is remote => by default refused
Hi, I modified pull request adding control as requested in this thread let me know |
no news? |
Looks like we're good to go. @tbonfort do you want to merge into 6.4 and master? |
I don't think this is ready for inclusion:
|
Hi @tbonfort here no SVG is added if it is an external reference and here is managed OWS_ALLOW_REMOTE_SLD_ASSETS about OWS_ALLOW_REMOTE_SLD_ASSETS your observation is that I should add it build system as part of pull request? |
"USE_CURL control in mapogcsld.c:2079 (...): OK I think it should not be a compile time option but configured through the mapfile. From your patch, it is a compile time option that cannot be set by a user as it is not managed by the build system. |
@tbonfort "From your patch, it is a compile" this is because as I understood comments by @dmorissette referring to OWS_ALLOW_REMOTE_SLD_ASSETS. But if in other way, please explain me so I can change pull request. |
You can find usage of CONFIG options here: https://github.com/mapserver/mapserver/blob/branch-6-4/mapdraw.c#L207 |
thank you @tbonfort but how can I use msTestConfigOption inside msAddImageSymbol(...)? I can't find a way to access map to get this paramter. The only place I've access to map in the upper call... in msSLDParseExternalGraphic. I'm preparing pull request in this way |
I don't believe msSLDParseExternalGraphic it the correct place to manage ALLOW_REMOTE_ASSETS parameter. In this way It will be manage only in svg entered using applaySld but I imagin this control should be general applied to all svg (and pixmap?) symbols. the best place where to apply is in msAddImageSymbol but can't find a way to access map struct to get option parameter. please let me know a direction |
…config option instead of copilation flag
I changed pull request to align with the last comments... I didn't find a way to generalize external symbol control that should be in msAddImageSymbol instead of only in msSLDParseExternalGraphic. I tested using sld with external svg and they are filtered by default... this filter is applied to all external symbols not only svg when importing sld |
reopened with pull request in master: |
Added support to svg when creating map from SLD
Added image/svg-xml MIME type suppot and creation of SYMBOL for each svg and setting MS_SYMBOL_SVG
pull request limit SVG loading only if it's not remote (http)