[mapserver-announce] Security Advisory – Limiting Mapfile Access
Jeff McKenna
jmckenna at gatewaygeomatics.com
Wed Mar 31 05:58:23 PDT 2021
This is an important reminder that, as part of a secure deployment, it
is important to limit MapServer CGI access to mapfiles. The MapServer
CGI has long supported the use of environment variables as a primary
mechanism to do this. If you haven’t implemented these controls then
that constitutes undue risk that is easily mitigated and we strongly
encourage you to do so as soon as possible. It’s also a great time to
review those settings if you already have them in place as we’ve
recently updated regex examples related to MS_MAP_PATTERN to limit path
traversal.
Relevant documentation can be found at:
* Limit Mapfile Access:
https://mapserver.org/optimization/limit_mapfile_access.html
* Environment Variables: https://mapserver.org/environment_variables.html
Please don’t hesitate to reach out with questions.
(please also distribute this advisory to your networks, with this url:
https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html )
--the MapServer PSC
-------------- next part --------------
_______________________________________________
mapserver-users mailing list
mapserver-users at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
More information about the mapserver-announce
mailing list