<div dir="ltr"><div>We could add a pattern but this really comes down to packaging and MapServer installation. <br></div><div><br></div><div>I am 100% willing to support packagers if we can do some small things in our CI to make them ready to go.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 31, 2021 at 9:27 AM Brent Fraser <<a href="mailto:bfraser@geoanalytic.com">bfraser@geoanalytic.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-family:arial;font-size:14px"><div style="box-sizing:border-box"><br style="box-sizing:border-box"></div><div style="box-sizing:border-box">Hi All,</div><div style="box-sizing:border-box"><br style="box-sizing:border-box"></div><div style="box-sizing:border-box">  I wonder if we should review our GeoMoose Examples with this security issue in mind.  Comments?</div><div style="box-sizing:border-box"><br style="box-sizing:border-box"></div><div style="box-sizing:border-box">Best Regards,</div><div style="box-sizing:border-box">Brent Fraser</div><div style="box-sizing:border-box"><br style="box-sizing:border-box"></div><div style="box-sizing:border-box"><br style="box-sizing:border-box"></div><hr id="gmail-m_8798866107018269463previousmessagehr" style="box-sizing:border-box;clear:both"><div style="box-sizing:border-box"><span style="box-sizing:border-box"><strong style="box-sizing:border-box;font-weight:700">From</strong>: Steve Lime <<a href="mailto:sdlime@gmail.com" target="_blank">sdlime@gmail.com</a>><br style="box-sizing:border-box"><strong style="box-sizing:border-box;font-weight:700">Sent</strong>: 3/30/21 12:25 PM<br style="box-sizing:border-box"><strong style="box-sizing:border-box;font-weight:700">To</strong>: MapServer Dev Mailing List <<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a>>, Mapserver <<a href="mailto:mapserver-users@lists.osgeo.org" target="_blank">mapserver-users@lists.osgeo.org</a>><br style="box-sizing:border-box"><strong style="box-sizing:border-box;font-weight:700">Subject</strong>: [mapserver-users] Security Advisory - Limiting Mapfile Access</span></div><div style="box-sizing:border-box"><br style="box-sizing:border-box"></div><div dir="ltr" style="box-sizing:border-box"><p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box;color:rgb(68,68,68)">Hi
all: This is an important reminder that, as part of a secure deployment, it is
important to limit MapServer CGI access to mapfiles. The MapServer CGI has long supported
the use of environment variables as a primary mechanism to do this. If you
haven't implemented these controls then that constitutes undue risk that is
easily mitigated and we strongly encourage you to do so as soon as possible. It's also a great time to
review those settings if you already have them in place as we've recently
updated regex examples related to MS_MAP_PATTERN to limit path traversal.</p><p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box;color:rgb(68,68,68)"> </p><p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box;color:rgb(68,68,68)">Relevant
documentation can be found at:</p><ul style="margin-bottom:0in;box-sizing:border-box;list-style:revert;padding:revert;margin-top:revert" type="disc"><li style="margin-right:0in;margin-left:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box"><a href="https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Foptimization%2Flimit_mapfile_access.html&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622587147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nm9oinfRBIW6p2O2MWFa%2FEwSggN0OU75ITLisrSNXck%3D&reserved=0" rel="noopener noreferrer" style="color:blue;box-sizing:border-box;text-decoration:underline" target="_blank">https://mapserver.org/optimization/limit_mapfile_access.html</a></li><li style="margin-right:0in;margin-left:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box"><a href="https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fenvironment_variables.html%23environment-variables&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622597107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SU5H%2F0IKrina79Ts9X47fv8X3AHC0TRAwX2N4p3%2BOvA%3D&reserved=0" rel="noopener noreferrer" style="color:blue;box-sizing:border-box;text-decoration:underline" target="_blank">https://mapserver.org/environment_variables.html</a></li></ul><p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box;color:rgb(68,68,68)"> </p><p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box;color:rgb(68,68,68)">Please
don't hesitate to reach out with questions.</p><p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box;color:rgb(68,68,68)"> </p><p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box;color:rgb(68,68,68)">--Steve</p><p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;box-sizing:border-box;color:rgb(68,68,68)"><br style="box-sizing:border-box"></p></div></div>
_______________________________________________<br>
mapserver-users mailing list<br>
<a href="mailto:mapserver-users@lists.osgeo.org" target="_blank">mapserver-users@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/mapserver-users" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-users</a><br>
_______________________________________________<br>
geomoose-psc mailing list<br>
<a href="mailto:geomoose-psc@lists.osgeo.org" target="_blank">geomoose-psc@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geomoose-psc" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/geomoose-psc</a><br>
</blockquote></div>