[mapserver-dev] Question about the bad mapfile pattern (vulnerability) check

[Tamas Szekeres]

Hi Developers,

I noticed that the double back slashes are excluded from the accepted
mapfile pattern in one of the commits not too long ago according to
security vulnerability reasons. The bad patten regex is now looking like:

const char *ms_map_bad_pattern_default = "[/\\]{2}|[/\\]?\\.+[/\\]|,";

Do we have a specific reason why we don't accept the double back slashes at
the beginning of the mapfile path? This normally refers to a network share
which is considered to be an absolute path, and our use cases are working
like that extensively. I guess we wanted to exclude the relative paths
basically, but it seems not to be that case.
I'm also wondering if the double forward slashes at the beginning makes
much sense to exclude, since I think that is treated as a single forward
slash in the unix like systems which is normally accepted.

Thanks,

Tamas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20220210/0bdc0da9/attachment.html>