Permalink
Browse files

Require validation for CGI queryfile parameter (#4874).

  • Loading branch information...
sdlime committed Feb 24, 2014
1 parent 05ff84f commit 88ec351fe7c085d544e8190ebb0bb809d8082ac9
Showing with 6 additions and 0 deletions.
  1. +2 −0 HISTORY.TXT
  2. +4 −0 mapservutil.c
View
@@ -15,6 +15,8 @@ For a complete change history, please see the Git log comments.
7.0 release (TBD)
-----------------
+- Require validation on the CGI queryfile parameter. (#4874)
+
- Apply RFC86 scaletoken substitutions to layer->PROCESSING entries
- RFC108 Heatmap / Kernel-Density Layers
View
@@ -363,6 +363,10 @@ int msCGILoadForm(mapservObj *mapserv)
if(strcasecmp(mapserv->request->ParamNames[i],"queryfile") == 0) {
mapserv->QueryFile = msStrdup(mapserv->request->ParamValues[i]);
+ if(msValidateParameter(mapserv->QueryFile, msLookupHashTable(&(mapserv->map->web.validation), "queryfile"), NULL, NULL, NULL) != MS_SUCCESS) {
+ msSetError(MS_WEBERR, "Parameter 'queryfile' value fails to validate.", "mapserv()");
+ return MS_FAILURE;
+ }
continue;
}

0 comments on commit 88ec351

Please sign in to comment.