[geomoose-psc] FWD: [mapserver-users] Security Advisory - Limiting Mapfile Access

Jeff McKenna jmckenna at gatewaygeomatics.com
Thu Apr 1 10:29:02 PDT 2021 

Hi all, I hope my -users response was well received.  Not easy, and 
exhausting subject, yet important.

I think maybe the GeoMoose-MS4W package (specifically in the .conf files 
in /ms4w/httpd.d/gm*.conf) could link to the MS4W security-steps 
document now, and even include commented-out examples.

But then it is getting quite overlapping, with the main MS4W installer 
(and likely the big upcoming MapServer 8.0, containing possibly even 
more additional security steps, possibly).

So right now at this exact moment I side with more making sure the 
documentation now is excellent, and then adapting (fast) to the upcoming 
8.0 changes that are most likely coming.  (that's how I handled this 
thinking these past few weeks, focus first on existing MapServer 
installations on all platforms, make a good announcement, get it visible 
and out to all communities, and then make sure MS4W users have specific 
recommended steps AND recommended testing steps, to enable on their 
existing servers).

Maybe others feel differently on how to handle all this, but at least 
now I hope you can understand my logic, right or wrong.

Phew, exhausting ha.

Hope my explaining helps.

-jeff



On 2021-04-01 8:39 a.m., Dan Little wrote:
> We could add a pattern but this really comes down to packaging and 
> MapServer installation.
> 
> I am 100% willing to support packagers if we can do some small things in 
> our CI to make them ready to go.
> 
> On Wed, Mar 31, 2021 at 9:27 AM Brent Fraser <bfraser at geoanalytic.com 
> <mailto:bfraser at geoanalytic.com>> wrote:
> 
> 
>     Hi All,
> 
>        I wonder if we should review our GeoMoose Examples with this
>     security issue in mind.  Comments?
> 
>     Best Regards,
>     Brent Fraser
> 
> 
>     ------------------------------------------------------------------------
>     *From*: Steve Lime <sdlime at gmail.com <mailto:sdlime at gmail.com>>
>     *Sent*: 3/30/21 12:25 PM
>     *To*: MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org
>     <mailto:mapserver-dev at lists.osgeo.org>>, Mapserver
>     <mapserver-users at lists.osgeo.org
>     <mailto:mapserver-users at lists.osgeo.org>>
>     *Subject*: [mapserver-users] Security Advisory - Limiting Mapfile Access
> 
>     Hi all: This is an important reminder that, as part of a secure
>     deployment, it is important to limit MapServer CGI access to
>     mapfiles. The MapServer CGI has long supported the use of
>     environment variables as a primary mechanism to do this. If you
>     haven't implemented these controls then that constitutes undue risk
>     that is easily mitigated and we strongly encourage you to do so as
>     soon as possible. It's also a great time to review those settings if
>     you already have them in place as we've recently updated regex
>     examples related to MS_MAP_PATTERN to limit path traversal.
> 
>     Relevant documentation can be found at:
> 
>       * https://mapserver.org/optimization/limit_mapfile_access.html
>         <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Foptimization%2Flimit_mapfile_access.html&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622587147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nm9oinfRBIW6p2O2MWFa%2FEwSggN0OU75ITLisrSNXck%3D&reserved=0>
>       * https://mapserver.org/environment_variables.html
>         <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fenvironment_variables.html%23environment-variables&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622597107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SU5H%2F0IKrina79Ts9X47fv8X3AHC0TRAwX2N4p3%2BOvA%3D&reserved=0>
> 
>     Please don't hesitate to reach out with questions.
> 
>     --Steve
> 
> 
>     _______________________________________________
>     mapserver-users mailing list
>     mapserver-users at lists.osgeo.org <mailto:mapserver-users at lists.osgeo.org>
>     https://lists.osgeo.org/mailman/listinfo/mapserver-users
>     <https://lists.osgeo.org/mailman/listinfo/mapserver-users>
>     _______________________________________________
>     geomoose-psc mailing list
>     geomoose-psc at lists.osgeo.org <mailto:geomoose-psc at lists.osgeo.org>
>     https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>     <https://lists.osgeo.org/mailman/listinfo/geomoose-psc>
> 
> 
> _______________________________________________
> geomoose-psc mailing list
> geomoose-psc at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
> 


-- 
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/

More information about the geomoose-psc mailing list