Added managing of SVG format in applytSLD - added thanks to Regione Toscana SITA #4842
Conversation
|
a clean pull request. commets referred to closed pull request: |
| @@ -398,9 +399,18 @@ int msAddImageSymbol(symbolSetObj *symbolset, char *filename) | |||
| symbol->full_pixmap_path = msStrdup(msBuildPath(szPath, NULL, filename)); | |||
| } | |||
| symbol->imagepath = msStrdup(filename); | |||
| symbol->inmapfile = MS_TRUE; | |||
There was a problem hiding this comment.
this should not be set. it indicates the symbol block was read from the mapfile instead of the symbolset
There was a problem hiding this comment.
ha ok... so it should be set at the parse sld level.
There was a problem hiding this comment.
it does not need to be set at all
There was a problem hiding this comment.
probabily I didn't explain well
the context is apply a SLD to mapfile
the anomaly rise up due the fact that Mark symbol are shown in mapfile but the svg symbol not
In fact for Mark symbol, the symbol->inmapfile is set to true
mapogcsld.c:1747 - msSLDGetMarkSymbol
I'm agree that, with your explication, symbol->inmapfile = MS_TRUE shouldn't be in msAddImageSymbol, my idea is this should be done at the level of parsing the sld.
There was a problem hiding this comment.
I can confirm that it's not needed. The only place where it's used is when writing a mapfile to disk, and even in that use-case it is not necessary for these "shortcut" symbols.
|
so, does this one actually work, I don't see any difference with the previous one you said was failing? Again, I'm not sure this should go into the 6.4 branch without a review from the devs (loading arbitrary SVG files from the internet without validation patterns (given this is SLD) seems risky. we do however do it for pixmap symbols already): @sdlime , @dmorissette , @rouault ? |
|
@tbonfort I didn't know that github auto update pull request... before this automatic update I saw my merge commit creating problem to travis compilation so I created a new one, sorry for the noise. about merging in 6.4 it's up to you... in this case My pull request try to solve getting svg from local so a mediate solution could be adding a control to avoid set svg if it's an url but set it if it's a local path. |
|
news from @sdlime , @dmorissette , @rouault ? |
|
I understand the security implications of this PR. I think that limiting SVG loading to local filesystem should avoid any major issue: would a patch be acceptable if so modified? |
|
I am also concerned by the possible security implications, but am not familiar enough with the SVG format to know if there is a real risk of injection through SVG files. On the mapserver-dev list, @sdlime suggested limiting SVG loading to local filesystem by default and adding the ability to enable the use of remote SVG or image files in SLDs using a metadata such as OWS_ALLOW_REMOTE_SLD_ASSETS, false by default. I like this suggestion. Since this is not a trivial bug fix and is actually extending a feature, I'd suggest merging to master only (and @luipir wrote that they don't need it in 6.4 anyway). |
|
Seems a good solution to me. |
|
We should probably also be disallowing the loading of remote png/gif images, as those can also be an attack vector through vulnerabilities in giflib/libpng. I also think that adding some kind of configuration to disallow remote SLD assets, or maybe even better to require a VALIDATION entry for those assets, is the correct way to go. The problem here is that this kind of change is really not a good fit for a point-release as it breaks backwards compatibility for those that were already using loading of remote images through SLD. |
|
I'll modify pull request avoiding load remote svg by default using compilation variable: OWS_ALLOW_REMOTE_SLD_ASSETS |
…oscana - SITA added support to svg managing creation of SYMBOL for each svg symbol and setting MS_SYMBOL_SVG removed unused inlude added check in case externalGraphic svg is remote => by default refused
|
Hi, I modified pull request adding control as requested in this thread let me know |
|
no news? |
|
Looks like we're good to go. @tbonfort do you want to merge into 6.4 and master? |
|
I don't think this is ready for inclusion:
|
|
Hi @tbonfort here no SVG is added if it is an external reference and here is managed OWS_ALLOW_REMOTE_SLD_ASSETS about OWS_ALLOW_REMOTE_SLD_ASSETS your observation is that I should add it build system as part of pull request? |
|
"USE_CURL control in mapogcsld.c:2079 (...): OK I think it should not be a compile time option but configured through the mapfile. From your patch, it is a compile time option that cannot be set by a user as it is not managed by the build system. |
|
@tbonfort "From your patch, it is a compile" this is because as I understood comments by @dmorissette referring to OWS_ALLOW_REMOTE_SLD_ASSETS. But if in other way, please explain me so I can change pull request. |
|
You can find usage of CONFIG options here: https://github.com/mapserver/mapserver/blob/branch-6-4/mapdraw.c#L207 |
|
thank you @tbonfort but how can I use msTestConfigOption inside msAddImageSymbol(...)? I can't find a way to access map to get this paramter. The only place I've access to map in the upper call... in msSLDParseExternalGraphic. I'm preparing pull request in this way |
|
I don't believe msSLDParseExternalGraphic it the correct place to manage ALLOW_REMOTE_ASSETS parameter. In this way It will be manage only in svg entered using applaySld but I imagin this control should be general applied to all svg (and pixmap?) symbols. the best place where to apply is in msAddImageSymbol but can't find a way to access map struct to get option parameter. please let me know a direction |
…config option instead of copilation flag
|
I changed pull request to align with the last comments... I didn't find a way to generalize external symbol control that should be in msAddImageSymbol instead of only in msSLDParseExternalGraphic. I tested using sld with external svg and they are filtered by default... this filter is applied to all external symbols not only svg when importing sld |
|
reopened with pull request in master: |
Added support to svg when creating map from SLD
Added image/svg-xml MIME type suppot and creation of SYMBOL for each svg and setting MS_SYMBOL_SVG
pull request limit SVG loading only if it's not remote (http)