[mapserver-commits] r10306 - branches/branch-5-6/mapserver

svn at osgeo.org svn at osgeo.org
Thu Jul 8 16:07:15 EDT 2010 

Author: dmorissette
Date: 2010-07-08 20:07:15 +0000 (Thu, 08 Jul 2010)
New Revision: 10306

Modified:
   branches/branch-5-6/mapserver/README.CONFIGURE
   branches/branch-5-6/mapserver/configure
   branches/branch-5-6/mapserver/configure.in
   branches/branch-5-6/mapserver/mapserv.c
Log:
Disable insecure mapserv cgi command-line debug params by default (#3484)

Modified: branches/branch-5-6/mapserver/README.CONFIGURE
===================================================================
--- branches/branch-5-6/mapserver/README.CONFIGURE	2010-07-08 20:04:54 UTC (rev 10305)
+++ branches/branch-5-6/mapserver/README.CONFIGURE	2010-07-08 20:07:15 UTC (rev 10306)
@@ -54,6 +54,12 @@
   --disable-fast-nint     Use safe MS_NINT with reliable rounding
   --enable-debug          Include "-g" in CFLAGS for debugging.
   --disable-debug         Do not include "-g" in CFLAGS (the default).
+  --enable-cgi-cl-debug-args
+                          Enable mapserv CGI command-line debug arguments
+                          (disabled by default). These command-line args may
+                          be insecure and should be enabled only on
+                          development servers and only if you understand the
+                          security implications.
   --enable-gcov           Enable source code coverage testing using gcov
   --enable-perlv-ld-detect (applies to --with-php only)
                           Use perl -V output to figure the command to use to
@@ -673,6 +679,15 @@
 
 ::
 
+  --enable-cgi-cl-debug-args
+                          Enable mapserv CGI command-line debug arguments
+                          (disabled by default). These command-line args may
+                          be insecure and should be enabled only on
+                          development servers and only if you understand the
+                          security implications.
+
+::
+
   --enable-gcov           Enable source code coverage testing using gcov
 
 ::

Modified: branches/branch-5-6/mapserver/configure
===================================================================
--- branches/branch-5-6/mapserver/configure	2010-07-08 20:04:54 UTC (rev 10305)
+++ branches/branch-5-6/mapserver/configure	2010-07-08 20:07:15 UTC (rev 10306)
@@ -857,6 +857,12 @@
   --disable-fast-nint     Use safe MS_NINT with reliable rounding
   --enable-debug          Include "-g" in CFLAGS for debugging.
   --disable-debug         Do not include "-g" in CFLAGS (the default).
+  --enable-cgi-cl-debug-args
+                          Enable mapserv CGI command-line debug arguments
+                          (disabled by default). These command-line args may
+                          be insecure and should be enabled only on
+                          development servers and only if you understand the
+                          security implications.
   --enable-gcov           Enable source code coverage testing using gcov
   --enable-perlv-ld-detect
                           (applies to --with-php only)
@@ -11416,8 +11422,81 @@
       POSTGIS_LIB="-L`$PG_CONFIG --libdir` -lpq"
   fi
   POSTGIS_INC="-I`$PG_CONFIG --includedir`"
+
+  old_LDFLAGS="$LDFLAGS"
+  LDFLAGS="$LDFLAGS -L`$PG_CONFIG --libdir`"
+  echo "$as_me:$LINENO: checking for PQserverVersion in -lpq" >&5
+echo $ECHO_N "checking for PQserverVersion in -lpq... $ECHO_C" >&6
+if test "${ac_cv_lib_pq_PQserverVersion+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpq  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char PQserverVersion ();
+int
+main ()
+{
+PQserverVersion ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_pq_PQserverVersion=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_pq_PQserverVersion=no
 fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_pq_PQserverVersion" >&5
+echo "${ECHO_T}$ac_cv_lib_pq_PQserverVersion" >&6
+if test $ac_cv_lib_pq_PQserverVersion = yes; then
+  POSTGIS_ENABLED="$POSTGIS_ENABLED -DPOSTGIS_HAS_SERVER_VERSION"
+fi
 
+  LDFLAGS="$old_LDFLAGS"
+
+fi
+
 POSTGIS_ENABLED=$POSTGIS_ENABLED
 
 POSTGIS_INC=$POSTGIS_INC
@@ -12636,6 +12715,21 @@
   CFLAGS=`echo "$CFLAGS " | sed "s/-g //"`
 fi
 
+
+{ echo "$as_me:$LINENO: checking whether we should enable mapserv CGI command-line debug arguments..." >&5
+echo "$as_me: checking whether we should enable mapserv CGI command-line debug arguments..." >&6;}
+# Check whether --enable-cgi-cl-debug-args or --disable-cgi-cl-debug-args was given.
+if test "${enable_cgi_cl_debug_args+set}" = set; then
+  enableval="$enable_cgi_cl_debug_args"
+
+fi;
+
+if test "$enable_cgi_cl_debug_args" = "yes" ; then
+  DEBUG_FLAGS="$DEBUG_FLAGS -DMS_ENABLE_CGI_CL_DEBUG_ARGS"
+  echo "$as_me:$LINENO: result:         Enabling (potentially insecure) mapserv CGI command-line debug arguments: -DMS_ENABLE_CGI_CL_DEBUG_ARGS." >&5
+echo "${ECHO_T}        Enabling (potentially insecure) mapserv CGI command-line debug arguments: -DMS_ENABLE_CGI_CL_DEBUG_ARGS." >&6
+fi
+
 DEBUG_FLAGS=$DEBUG_FLAGS
 
 ALL_ENABLED="$DEBUG_FLAGS $ALL_ENABLED"

Modified: branches/branch-5-6/mapserver/configure.in
===================================================================
--- branches/branch-5-6/mapserver/configure.in	2010-07-08 20:04:54 UTC (rev 10305)
+++ branches/branch-5-6/mapserver/configure.in	2010-07-08 20:07:15 UTC (rev 10306)
@@ -2382,6 +2382,24 @@
   CFLAGS=`echo "$CFLAGS " | sed "s/-g //"`
 fi
 
+dnl ---------------------------------------------------------------------
+dnl Check --enable-cgi-cl-debug-args option (OFF by default)
+dnl ---------------------------------------------------------------------
+
+AC_CHECKING(whether we should enable mapserv CGI command-line debug arguments)
+AC_ARG_ENABLE(cgi-cl-debug-args,
+[  --enable-cgi-cl-debug-args 
+                          Enable mapserv CGI command-line debug arguments
+                          (disabled by default). These command-line args may
+                          be insecure and should be enabled only on 
+                          development servers and only if you understand the 
+                          security implications.],,)
+
+if test "$enable_cgi_cl_debug_args" = "yes" ; then
+  DEBUG_FLAGS="$DEBUG_FLAGS -DMS_ENABLE_CGI_CL_DEBUG_ARGS"
+  AC_MSG_RESULT([        Enabling (potentially insecure) mapserv CGI command-line debug arguments: -DMS_ENABLE_CGI_CL_DEBUG_ARGS.])
+fi
+
 AC_SUBST(DEBUG_FLAGS, $DEBUG_FLAGS)
 ALL_ENABLED="$DEBUG_FLAGS $ALL_ENABLED"
 

Modified: branches/branch-5-6/mapserver/mapserv.c
===================================================================
--- branches/branch-5-6/mapserver/mapserv.c	2010-07-08 20:04:54 UTC (rev 10305)
+++ branches/branch-5-6/mapserver/mapserv.c	2010-07-08 20:07:15 UTC (rev 10306)
@@ -1139,13 +1139,23 @@
   /*      purposes, and to query the version info.                        */
   /* -------------------------------------------------------------------- */
   for( iArg = 1; iArg < argc; iArg++ ) {
+    /* Keep only "-v", "-nh" and "QUERY_STRING=..." enabled by default.
+     * The others will require an explicit -DMS_ENABLE_CGI_CL_DEBUG_ARGS
+     * at compile time.
+     */
     if( strcmp(argv[iArg],"-v") == 0 ) {
       printf("%s\n", msGetVersion());
       fflush(stdout);
       exit(0);
     } else if(strcmp(argv[iArg], "-nh") == 0) {
       sendheaders = MS_FALSE;
-    } else if( iArg < argc-1 && strcmp(argv[iArg], "-tmpbase") == 0) {
+    } else if( strncmp(argv[iArg], "QUERY_STRING=", 13) == 0 ) {
+      /* Debugging hook... pass "QUERY_STRING=..." on the command-line */
+      putenv( "REQUEST_METHOD=GET" );
+      putenv( argv[iArg] );
+    }
+#ifdef MS_ENABLE_CGI_CL_DEBUG_ARGS
+    else if( iArg < argc-1 && strcmp(argv[iArg], "-tmpbase") == 0) {
       msForceTmpFileBase( argv[++iArg] );
     } else if( iArg < argc-1 && strcmp(argv[iArg], "-t") == 0) {
       char **tokens;
@@ -1161,15 +1171,13 @@
       }
             
       exit(0);
-    } else if( strncmp(argv[iArg], "QUERY_STRING=", 13) == 0) {
-      /* Debugging hook... pass "QUERY_STRING=..." on the command-line */
-      putenv( "REQUEST_METHOD=GET" );
-      putenv( argv[iArg] );
     } else if( strncmp(argv[iArg], "MS_ERRORFILE=", 13) == 0 ) {
       msSetErrorFile( argv[iArg] + 13 );
     } else if( strncmp(argv[iArg], "MS_DEBUGLEVEL=", 14) == 0) {
       msSetGlobalDebugLevel( atoi(argv[iArg] + 14) );
-    } else {
+    }
+#endif /* MS_ENABLE_CGI_CL_DEBUG_ARGS */
+    else {
       /* we don't produce a usage message as some web servers pass junk arguments */
     }
   }

More information about the mapserver-commits mailing list