[Git][debian-gis-team/mapserver][upstream] New upstream version 8.6.2

Bas Couwenberg (@sebastic) gitlab at salsa.debian.org
Sun Apr 19 16:07:05 BST 2026 


Bas Couwenberg pushed to branch upstream at Debian GIS Project / mapserver


Commits:
b8048063 by Bas Couwenberg at 2026-04-19T16:52:27+02:00
New upstream version 8.6.2
- - - - -


8 changed files:

- .github/workflows/start.sh
- CITATION.cff
- CMakeLists.txt
- HISTORY.md
- src/apps/mapserv.c
- src/maprasterquery.c
- src/maptemplate.c
- src/maputil.c


Changes:

=====================================
.github/workflows/start.sh
=====================================
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 


=====================================
CITATION.cff
=====================================
@@ -1,8 +1,8 @@
 cff-version: 1.2.0
 title: MapServer
 message: If you use this software, please cite it using the metadata from this file.
-version: 8.6.1
-date-released: 2026-03-23
+version: 8.6.2
+date-released: 2026-04-19
 abstract: MapServer is an Open Source platform for publishing spatial data and interactive mapping applications to the web.
 type: software
 authors:


=====================================
CMakeLists.txt
=====================================
@@ -17,7 +17,7 @@ include(CheckCSourceCompiles)
 
 set (MapServer_VERSION_MAJOR 8)
 set (MapServer_VERSION_MINOR 6)
-set (MapServer_VERSION_REVISION 1)
+set (MapServer_VERSION_REVISION 2)
 set (MapServer_VERSION_SUFFIX "")
 
 # Set C++ version


=====================================
HISTORY.md
=====================================
@@ -13,6 +13,15 @@ https://mapserver.org/development/changelog/
 
 The online Migration Guide can be found at https://mapserver.org/MIGRATION_GUIDE.html
 
+8.6.2 release (2026-04-19)
+--------------------------
+
+- security: only allow SRS or CRS parameters for OpenLayers template (#7480)
+
+- fix segmentation fault in PHP MapScriptNG (#7471)
+
+see detailed changelog for other fixes
+
 8.6.1 release (2026-03-23)
 --------------------------
 


=====================================
src/apps/mapserv.c
=====================================
@@ -284,7 +284,7 @@ int main(int argc, char *argv[]) {
           goto end_request;
         }
       }
-      if (ms_index_dir != NULL &&
+      if (ms_index_dir != NULL && mapserv->request->path_info != NULL &&
           strcmp(mapserv->request->path_info, "/") == 0) {
         // return the landing page
         msCGIDispatchIndexRequest(mapserv, config);


=====================================
src/maprasterquery.c
=====================================
@@ -329,11 +329,20 @@ static void msRasterQueryAddPixel(layerObj *layer, pointObj *location,
   /* -------------------------------------------------------------------- */
   else {
     if (rlinfo->band_count >= 3) {
-      red = (int)MS_MAX(0, MS_MIN(255, values[0]));
-      green = (int)MS_MAX(0, MS_MIN(255, values[1]));
-      blue = (int)MS_MAX(0, MS_MIN(255, values[2]));
+      if (!CPLIsFinite(values[0]) || !CPLIsFinite(values[1]) ||
+          !CPLIsFinite(values[2])) {
+        nodata = TRUE;
+      } else {
+        red = (int)MS_MAX(0, MS_MIN(255, values[0]));
+        green = (int)MS_MAX(0, MS_MIN(255, values[1]));
+        blue = (int)MS_MAX(0, MS_MIN(255, values[2]));
+      }
     } else {
-      red = green = blue = (int)MS_MAX(0, MS_MIN(255, values[0]));
+      if (!CPLIsFinite(values[0])) {
+        nodata = TRUE;
+      } else {
+        red = green = blue = (int)MS_MAX(0, MS_MIN(255, values[0]));
+      }
     }
   }
 
@@ -345,7 +354,7 @@ static void msRasterQueryAddPixel(layerObj *layer, pointObj *location,
   /*      described in:                                                   */
   /*       http://mapserver.gis.umn.edu/bugs/show_bug.cgi?id=1021         */
   /* -------------------------------------------------------------------- */
-  if (rlinfo->qc_class != NULL) {
+  if (rlinfo->qc_class != NULL && !nodata) {
     p_class = msGetClass_FloatRGB(layer, values[0], red, green, blue);
 
     if (p_class == -1)


=====================================
src/maptemplate.c
=====================================
@@ -5001,21 +5001,36 @@ int msReturnOpenLayersPage(mapservObj *mapserv) {
   char *format = NULL;
 
   /* 2 CGI parameters are used in the template. we need to transform them
-   * to be sure the case match during the template processing. We also
-   * need to search the SRS/CRS parameter to get the projection info. OGC
-   * services version >= 1.3.0 uses CRS rather than SRS */
+   * to be sure the case matches during the template processing.*/
+
+  const char *version = NULL;
   for (i = 0; i < mapserv->request->NumParams; i++) {
-    if ((strcasecmp(mapserv->request->ParamNames[i], "SRS") == 0) ||
-        (strcasecmp(mapserv->request->ParamNames[i], "CRS") == 0)) {
-      projection = mapserv->request->ParamValues[i];
-    } else if (strcasecmp(mapserv->request->ParamNames[i], "LAYERS") == 0) {
+    if (strcasecmp(mapserv->request->ParamNames[i], "LAYERS") == 0) {
       free(mapserv->request->ParamNames[i]);
       mapserv->request->ParamNames[i] = msStrdup("LAYERS");
     } else if (strcasecmp(mapserv->request->ParamNames[i], "VERSION") == 0) {
       free(mapserv->request->ParamNames[i]);
       mapserv->request->ParamNames[i] = msStrdup("VERSION");
+      version = mapserv->request->ParamValues[i];
     }
   }
+
+  /* Determine whether this is a 1.3.0 request.
+   * CRS is used for VERSION 1.3.0, SRS for earlier versions. */
+
+  if (mapserv->Mode != BROWSE) {
+    const int use_crs = (version != NULL && strcmp(version, "1.3.0") >= 0);
+    const char *proj_param = use_crs ? "CRS" : "SRS";
+
+    /* get the correct projection parameter */
+    for (i = 0; i < mapserv->request->NumParams; i++) {
+      if (strcasecmp(mapserv->request->ParamNames[i], proj_param) == 0) {
+        projection = msEncodeHTMLEntities(mapserv->request->ParamValues[i]);
+        break;
+      }
+    }
+  }
+
   if (mapserv->map->outputformat->mimetype &&
       *mapserv->map->outputformat->mimetype) {
     format = mapserv->map->outputformat->mimetype;
@@ -5055,6 +5070,7 @@ int msReturnOpenLayersPage(mapservObj *mapserv) {
   msIO_fwrite(buffer, strlen(buffer), 1, stdout);
   free(layer);
   free(buffer);
+  free(projection);
 
   return MS_SUCCESS;
 }


=====================================
src/maputil.c
=====================================
@@ -62,6 +62,8 @@ extern char *msyystring_buffer;
 extern int msyylex_destroy(void);
 extern int yyparse(parseObj *);
 
+int gdal_destroyed = 0;
+
 int msScaleInBounds(double scale, double minscale, double maxscale) {
   if (scale > 0) {
     if (maxscale != -1 && scale >= maxscale)
@@ -2130,6 +2132,13 @@ int msSetup() {
   msThreadInit();
 #endif
 
+  if (gdal_destroyed) {
+    msAcquireLock(TLOCK_GDAL);
+    GDALAllRegister();
+    gdal_destroyed = 0;
+    msReleaseLock(TLOCK_GDAL);
+  }
+
   /* Use PROJ_DATA/PROJ_LIB env vars if set */
   msProjDataInitFromEnv();
 
@@ -2176,6 +2185,7 @@ void msCleanup() {
   msAcquireLock(TLOCK_GDAL);
   /* Cleanup some GDAL global resources in particular */
   GDALDestroy();
+  gdal_destroyed = 1;
   msReleaseLock(TLOCK_GDAL);
 
   msSetPROJ_DATA(NULL, NULL);



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/commit/b804806349450e91b40fb45a3c834c98837a7304

-- 
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/commit/b804806349450e91b40fb45a3c834c98837a7304
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20260419/e8a091c9/attachment-0001.htm>

More information about the Pkg-grass-devel mailing list