<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
We do already use a wrapper script, but I didn't include it here to keep things simpler. I am not entirely clear on the dangers of exposing .map files in the URL. I have a few guesses, but I am not positive. That said, using the wrapper, we can modify the
parameters to change the .map file specified from</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
/foo.map</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
To </div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
/myOrg_mapserver/foo.map</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thanks,</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Rob</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> MapServer-users <mapserver-users-bounces@lists.osgeo.org> on behalf of Scott via MapServer-users <mapserver-users@lists.osgeo.org><br>
<b>Sent:</b> Thursday, March 20, 2025 5:31 PM<br>
<b>To:</b> mapserver-users@lists.osgeo.org <mapserver-users@lists.osgeo.org><br>
<b>Subject:</b> Re: [MapServer-users] Is there a way to set the document root for .map files?</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">External: Beware of links/attachments.<br>
<br>
<br>
<br>
Not only is exposing your .map files not a great idea, you should<br>
consider wrapping your mapserv url in a php/python/etc script.<br>
<br>
That way you can filter any passed data to see if it's suspect or just<br>
gather stats. More importantly, it hides any info about your backend,<br>
including the name of the mapserv binary. I rename mapserv to a<br>
non-obvious name in cgi-bin and use a wrapper.<br>
<br>
In your case, using a wrapper around mapserv would allow you to hard<br>
code one single url for all you apps/client, then the wrapper could<br>
update the url based on customer.<br>
<br>
You could also set up a redirect in your web server to redirect all<br>
/cgi-bin/mapserv requests to that wrapper.<br>
<br>
Scott<br>
<br>
<br>
On 3/20/25 14:05, Rob Dennett via MapServer-users wrote:<br>
> Can you expand on the potential security issue posed by using the path<br>
> name?<br>
><br>
> Thanks,<br>
> Rob<br>
> ------------------------------------------------------------------------<br>
> *From:* Richard Greenwood <richard.greenwood@gmail.com><br>
> *Sent:* Thursday, March 20, 2025 1:34 PM<br>
> *To:* Rob Dennett <Rob.Dennett@twdb.texas.gov><br>
> *Cc:* mapserver <mapserver-users@lists.osgeo.org><br>
> *Subject:* Re: [MapServer-users] Is there a way to set the document root<br>
> for .map files?<br>
><br>
> External: Beware of links/attachments.<br>
><br>
><br>
><br>
> This doesn't exactly answer your question, but directly referencing your<br>
> map file in the URL is discouraged because it's a potential<br>
> security issue. The "best practice" is to create an alias to each of<br>
> your map files. For mapserv >= 8.0 that can be done in the<br>
> mapserver.conf file, for example:<br>
> MAP<br>
> foo1 "/path/to/foo1.map<br>
> foo2 "/path/to/foo2.map<br>
> END<br>
> or for mapserv < 8.0 it can be done in the Apache config:<br>
> SetEnv foo1 "/path/to/foo1.map"<br>
> SetEnv foo1 "/path/to/foo1.map"<br>
> And then "best practice" is to block access to map files on the file<br>
> system with<br>
> MS_MAP_NO_PATH "1"<br>
> which is done in the mapserver.conf or the Apache conf depending on<br>
> mapserv version.<br>
><br>
> If you still want to reference map files in the http request I believe<br>
> they are relative to the mapserv binary (I'm saying this from memory, so<br>
> I might be wrong). So you could put a symlink in your cgi-bin/ to /path/<br>
> to/mapfiles/ but I think that's a terrible idea.<br>
><br>
> Rich<br>
><br>
><br>
><br>
><br>
> On Thu, Mar 20, 2025 at 9:37 AM Rob Dennett via MapServer-users<br>
> <mapserver-users@lists.osgeo.org <<a href=""></a>mailto:mapserver-<br>
> users@lists.osgeo.org>> wrote:<br>
><br>
> Is there a way to set a sort of document root for .map files and<br>
> other files .map files might reference? For example, my .map files<br>
> are found at the root of an S3 bucket and we're trying to use an EFS<br>
> volume instead. Our URLs currently look like<br>
><br>
> <a href="https://www.ourOrg.com/cgi-bin/mapserv/?map=/foo.map&">https://www.ourOrg.com/cgi-bin/mapserv/?map=/foo.map&</a>. <https://<br>
> <a href="http://www.ourOrg.com/cgi-bin/mapserv/?map=/foo.map&.>">www.ourOrg.com/cgi-bin/mapserv/?map=/foo.map&.></a>..<br>
><br>
> Where foo.map lives in the root of the s3 bucket. With the new<br>
> system we want, it will live at the root of the EFS volume, but with<br>
> that volume mounted in a different directory in the docker container<br>
> where MapServer runs, e.g. /ourOrg_mapserver. The file system in<br>
> the container is<br>
><br>
> /ourOrg_mapserver/foo.map<br>
><br>
> There are many existing URLs in our client apps as well as 3rd party<br>
> customer apps which use the above URL. Is there a way to set up<br>
> mapserver so that /ourOrg_mapserver acts like an Apache document<br>
> root so that existing stuff won't need to change?<br>
><br>
> Thanks,<br>
> Rob<br>
> _______________________________________________<br>
> MapServer-users mailing list<br>
> MapServer-users@lists.osgeo.org <<a href="mailto:MapServer-users@lists.osgeo.org">mailto:MapServer-users@lists.osgeo.org</a>><br>
> <a href="https://lists.osgeo.org/mailman/listinfo/mapserver-users">https://lists.osgeo.org/mailman/listinfo/mapserver-users</a> <https://<br>
> lists.osgeo.org/mailman/listinfo/mapserver-users><br>
><br>
><br>
><br>
> --<br>
> Richard W. Greenwood<br>
> <a href="http://www.greenwoodmap.com">www.greenwoodmap.com</a> <<a href="http://www.greenwoodmap.com">http://www.greenwoodmap.com</a>><br>
><br>
> _______________________________________________<br>
> MapServer-users mailing list<br>
> MapServer-users@lists.osgeo.org<br>
> <a href="https://lists.osgeo.org/mailman/listinfo/mapserver-users">https://lists.osgeo.org/mailman/listinfo/mapserver-users</a><br>
<br>
_______________________________________________<br>
MapServer-users mailing list<br>
MapServer-users@lists.osgeo.org<br>
<a href="https://lists.osgeo.org/mailman/listinfo/mapserver-users">https://lists.osgeo.org/mailman/listinfo/mapserver-users</a><br>
</div>
</span></font></div>
</body>
</html>