[mapserver-dev] Question about the bad mapfile pattern (vulnerability) check

[Steve Lime]

The idea was to limit things to local paths with no back references by
default. We're not distinguishing between OSes in setting that pattern.
It's possible it's a bit overzealous so we could tweak the default if that
makes sense across operating systems. It can be overridden by
environment variable (or within the config file) and could be turned off
completely with an expression that will never match.

On Thu, Feb 10, 2022 at 4:34 AM Tamas Szekeres <szekerest at gmail.com> wrote:

> Hi Developers,
>
> I noticed that the double back slashes are excluded from the accepted
> mapfile pattern in one of the commits not too long ago according to
> security vulnerability reasons. The bad patten regex is now looking like:
>
> const char *ms_map_bad_pattern_default = "[/\\]{2}|[/\\]?\\.+[/\\]|,";
>
> Do we have a specific reason why we don't accept the double back slashes
> at the beginning of the mapfile path? This normally refers to a network
> share which is considered to be an absolute path, and our use cases are
> working like that extensively. I guess we wanted to exclude the relative
> paths basically, but it seems not to be that case.
> I'm also wondering if the double forward slashes at the beginning makes
> much sense to exclude, since I think that is treated as a single forward
> slash in the unix like systems which is normally accepted.
>
> Thanks,
>
> Tamas
>
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20220210/a2db3a13/attachment.html>