[geomoose-psc] FWD: [mapserver-users] Security Advisory - Limiting Mapfile Access

Brent Fraser bfraser at geoanalytic.com
Wed Mar 31 07:22:23 PDT 2021


Hi All,

I wonder if we should review our GeoMoose Examples with this security issue in mind.  Comments?

Best Regards,
Brent Fraser

----------------------------------------

From: Steve Lime <sdlime at gmail.com>
Sent: 3/30/21 12:25 PM
To: MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>, Mapserver <mapserver-users at lists.osgeo.org>
Subject: [mapserver-users] Security Advisory - Limiting Mapfile Access

Hi all: This is an important reminder that, as part of a secure deployment, it is important to limit MapServer CGI access to mapfiles. The MapServer CGI has long supported the use of environment variables as a primary mechanism to do this. If you haven't implemented these controls then that constitutes undue risk that is easily mitigated and we strongly encourage you to do so as soon as possible. It's also a great time to review those settings if you already have them in place as we've recently updated regex examples related to MS_MAP_PATTERN to limit path traversal.

Relevant documentation can be found at:

- https://mapserver.org/optimization/limit_mapfile_access.html
- https://mapserver.org/environment_variables.html

Please don't hesitate to reach out with questions.

--Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20210331/7227391b/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 
URL: <http://lists.osgeo.org/pipermail/geomoose-psc/attachments/20210331/7227391b/attachment.ksh>


More information about the geomoose-psc mailing list