[geomoose-psc] FWD: [mapserver-users] Security Advisory - Limiting Mapfile Access

Dan Little theduckylittle at gmail.com
Thu Apr 1 04:39:10 PDT 2021


We could add a pattern but this really comes down to packaging and
MapServer installation.

I am 100% willing to support packagers if we can do some small things in
our CI to make them ready to go.

On Wed, Mar 31, 2021 at 9:27 AM Brent Fraser <bfraser at geoanalytic.com>
wrote:

>
> Hi All,
>
>   I wonder if we should review our GeoMoose Examples with this security
> issue in mind.  Comments?
>
> Best Regards,
> Brent Fraser
>
>
> ------------------------------
> *From*: Steve Lime <sdlime at gmail.com>
> *Sent*: 3/30/21 12:25 PM
> *To*: MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>,
> Mapserver <mapserver-users at lists.osgeo.org>
> *Subject*: [mapserver-users] Security Advisory - Limiting Mapfile Access
>
> Hi all: This is an important reminder that, as part of a secure
> deployment, it is important to limit MapServer CGI access to mapfiles. The
> MapServer CGI has long supported the use of environment variables as a
> primary mechanism to do this. If you haven't implemented these controls
> then that constitutes undue risk that is easily mitigated and we strongly
> encourage you to do so as soon as possible. It's also a great time to
> review those settings if you already have them in place as we've recently
> updated regex examples related to MS_MAP_PATTERN to limit path traversal.
>
>
>
> Relevant documentation can be found at:
>
>    - https://mapserver.org/optimization/limit_mapfile_access.html
>    <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Foptimization%2Flimit_mapfile_access.html&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622587147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nm9oinfRBIW6p2O2MWFa%2FEwSggN0OU75ITLisrSNXck%3D&reserved=0>
>    - https://mapserver.org/environment_variables.html
>    <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fenvironment_variables.html%23environment-variables&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622597107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SU5H%2F0IKrina79Ts9X47fv8X3AHC0TRAwX2N4p3%2BOvA%3D&reserved=0>
>
>
>
> Please don't hesitate to reach out with questions.
>
>
>
> --Steve
>
>
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-users
> _______________________________________________
> geomoose-psc mailing list
> geomoose-psc at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20210401/e1c4817b/attachment.html>


More information about the geomoose-psc mailing list