[mapserver-dev] Re: MapServer security issue
Steve Lime
steve.lime at dnr.state.mn.us
Mon Nov 18 13:31:27 EST 2002
Too much running through my head these days. Can you sum up the map
file
hole? I tried wading through this thread and thought I'd just ask. At
the moment
you can set a mapfile by:
- setting the MS_MAPFILE env variable
- setting parameter map to some file
- setting parameter map to some env variable (i.e. COMPASS_MAPFILE)
In any case, the file name is checked against a regex and that file is
never returned
to the user. I use the last option all the time to hide mapfile
locations and to make
application management easier.
Steve
Stephen Lime
Data & Applications Manager
Minnesota DNR
500 Lafayette Road
St. Paul, MN 55155
651-297-2937
>>> Jan Hartmann <jhart at frw.uva.nl> 11/16/02 08:13AM >>>
On second thougthts:
To allow for multiple MapFiles to be accessed from URL's, MS_MAPFILE
could be a colon-separated list of allowed mapfiles
(file1:file2:file3:...). Each of those could be accessed via the normal
?map=mapfile.parameter. The first one could be the default map. Coming
to think of it, you could just as well do this with a regex. And to
protect people against themselves, you could make MS_MAPFILE
obligatory.
Jan
Jan Hartmann wrote:
>
> Just one final loophole, mentioned by Daniel: the mapfile from the
> calling URL. This can come anywhere in the filesystem and you cannot
> shield that with a regular expression within the mapfile (would be
> circular, wouldn't it?). His solution (adding an environment variable
> MS_MAPFILE that can override the map-URL parameter) looks fine to
me.
More information about the mapserver-dev
mailing list