[mapserver-commits] r8867 - trunk/mapserver
svn at osgeo.org
svn at osgeo.org
Wed Apr 1 23:42:48 EDT 2009
Author: sdlime
Date: 2009-04-01 23:42:47 -0400 (Wed, 01 Apr 2009)
New Revision: 8867
Modified:
trunk/mapserver/cgiutil.c
trunk/mapserver/mapfile.c
trunk/mapserver/mapquery.c
trunk/mapserver/mapserv.c
trunk/mapserver/mapsymbol.c
trunk/mapserver/maptemplate.c
trunk/mapserver/maptemplate.h
Log:
Added security fixes for issues #2939, #2941, #2942, #2943, #2944.
Modified: trunk/mapserver/cgiutil.c
===================================================================
--- trunk/mapserver/cgiutil.c 2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/cgiutil.c 2009-04-02 03:42:47 UTC (rev 8867)
@@ -5,7 +5,7 @@
* Purpose: cgiRequestObj and CGI parameter parsing.
* Author: Steve Lime and the MapServer team.
*
- * Notes: Portions derived from NCSA HTTPd Server's example CGI programs (util.c).
+ * Notes: Portions derived from NCSA HTTPd Server's example CGI programs (util.c).
*
******************************************************************************
* Copyright (c) 1996-2005 Regents of the University of Minnesota.
@@ -44,7 +44,8 @@
static char *readPostBody( cgiRequestObj *request )
{
char *data;
- int data_max, data_len, chunk_size;
+ unsigned int data_max, data_len;
+ int chunk_size;
msIO_needBinaryStdin();
@@ -52,11 +53,11 @@
/* If the length is provided, read in one gulp. */
/* -------------------------------------------------------------------- */
if( getenv("CONTENT_LENGTH") != NULL ) {
- data_max = atoi(getenv("CONTENT_LENGTH"));
+ data_max = (unsigned int) atoi(getenv("CONTENT_LENGTH"));
data = (char *) malloc(data_max+1);
if( data == NULL ) {
msIO_printf("Content-type: text/html%c%c",10,10);
- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", data_max );
+ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", data_max );
exit( 1 );
}
@@ -86,7 +87,7 @@
if( data == NULL ) {
msIO_printf("Content-type: text/html%c%c",10,10);
- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 );
+ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 );
exit(1);
}
}
Modified: trunk/mapserver/mapfile.c
===================================================================
--- trunk/mapserver/mapfile.c 2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/mapfile.c 2009-04-02 03:42:47 UTC (rev 8867)
@@ -4710,11 +4710,20 @@
static int loadMapInternal(mapObj *map)
{
int i,j,k;
+ int foundMapToken=MS_FALSE;
+ int token;
for(;;) {
- switch(msyylex()) {
+ token = msyylex();
+ if(!foundMapToken && token != MAP) {
+ msSetError(MS_IDENTERR, "First token must be MAP, this doesn't look like a mapfile.", "msLoadMap()");
+ return(MS_FAILURE);
+ }
+
+ switch(token) {
+
case(CONFIG):
{
char *key=NULL, *value=NULL;
@@ -4840,6 +4849,7 @@
if(loadLegend(&(map->legend), map) == -1) return MS_FAILURE;
break;
case(MAP):
+ foundMapToken = MS_TRUE;
break;
case(MAXSIZE):
if(getInteger(&(map->maxsize)) == -1) return MS_FAILURE;
@@ -4900,8 +4910,7 @@
if(loadWeb(&(map->web), map) == -1) return MS_FAILURE;
break;
default:
- msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "msLoadMap()",
- msyytext, msyylineno);
+ msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "msLoadMap()", msyytext, msyylineno);
return MS_FAILURE;
}
} /* next token */
Modified: trunk/mapserver/mapquery.c
===================================================================
--- trunk/mapserver/mapquery.c 2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/mapquery.c 2009-04-02 03:42:47 UTC (rev 8867)
@@ -121,6 +121,11 @@
return(MS_FAILURE);
}
+ /*
+ ** Make sure the file at least has the right extension.
+ */
+ if(msEvalRegex("\\.qy$", filename) != MS_TRUE) return MS_FAILURE;
+
stream = fopen(filename, "rb");
if(!stream) {
msSetError(MS_IOERR, "(%s)", "msLoadQuery()", filename);
Modified: trunk/mapserver/mapserv.c
===================================================================
--- trunk/mapserver/mapserv.c 2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/mapserv.c 2009-04-02 03:42:47 UTC (rev 8867)
@@ -403,6 +403,10 @@
}
if(strcasecmp(mapserv->request->ParamNames[i],"id") == 0) {
+ if(msEvalRegex(IDPATTERN, mapserv->request->ParamValues[i]) == MS_FALSE) {
+ msSetError(MS_WEBERR, "Parameter 'id' value fails to validate.", "loadForm()");
+ writeError();
+ }
strncpy(mapserv->Id, mapserv->request->ParamValues[i], IDSIZE);
continue;
}
@@ -1308,7 +1312,7 @@
loadForm();
if(mapserv->savemap) {
- sprintf(buffer, "%s%s%s.map", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id);
+ snprintf(buffer, sizeof(buffer), "%s%s%s.map", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id);
if(msSaveMap(mapserv->map, buffer) == -1) writeError();
}
@@ -1776,7 +1780,7 @@
if(msReturnTemplateQuery(mapserv, mapserv->map->web.queryformat, NULL) != MS_SUCCESS) writeError();
if(mapserv->savequery) {
- sprintf(buffer, "%s%s%s%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_QUERY_EXTENSION);
+ snprintf(buffer, sizeof(buffer), "%s%s%s%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_QUERY_EXTENSION);
if((status = msSaveQuery(mapserv->map, buffer)) != MS_SUCCESS) return status;
}
}
Modified: trunk/mapserver/mapsymbol.c
===================================================================
--- trunk/mapserver/mapsymbol.c 2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/mapsymbol.c 2009-04-02 03:42:47 UTC (rev 8867)
@@ -631,11 +631,12 @@
int loadSymbolSet(symbolSetObj *symbolset, mapObj *map)
{
-/* char old_path[MS_PATH_LENGTH]; */
-/* char *symbol_path; */
int status=1;
char szPath[MS_MAXPATHLEN], *pszSymbolPath=NULL;
+ int foundSymbolSetToken=MS_FALSE;
+ int token;
+
if(!symbolset) {
msSetError(MS_SYMERR, "Symbol structure unallocated.", "loadSymbolSet()");
return(-1);
@@ -662,7 +663,14 @@
** Read the symbol file
*/
for(;;) {
- switch(msyylex()) {
+ token = msyylex();
+
+ if(!foundSymbolSetToken && token != SYMBOLSET) {
+ msSetError(MS_IDENTERR, "First token must be SYMBOLSET, this doesn't look like a symbol file.", "msLoadSymbolSet()");
+ return(-1);
+ }
+
+ switch(token) {
case(END):
case(EOF):
status = 0;
@@ -678,6 +686,7 @@
symbolset->numsymbols++;
break;
case(SYMBOLSET):
+ foundSymbolSetToken = MS_TRUE;
break;
default:
msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "loadSymbolSet()", msyytext, msyylineno);
Modified: trunk/mapserver/maptemplate.c
===================================================================
--- trunk/mapserver/maptemplate.c 2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/maptemplate.c 2009-04-02 03:42:47 UTC (rev 8867)
@@ -3858,7 +3858,7 @@
image = msDrawMap(mapserv->map, bQueryMap);
if(image) {
- sprintf(buffer, "%s%s%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+ snprintf(buffer, sizeof(buffer), "%s%s%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
msFreeImage(image);
@@ -3874,7 +3874,7 @@
imageObj *image = NULL;
image = msDrawLegend(mapserv->map, MS_FALSE);
if(image) {
- sprintf(buffer, "%s%sleg%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+ snprintf(buffer, sizeof(buffer), "%s%sleg%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
msFreeImage(image);
@@ -3890,7 +3890,7 @@
imageObj *image = NULL;
image = msDrawScalebar(mapserv->map);
if(image) {
- sprintf(buffer, "%s%ssb%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+ snprintf(buffer, sizeof(buffer), "%s%ssb%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
msFreeImage(image);
return MS_FALSE;
@@ -3905,7 +3905,7 @@
imageObj *image;
image = msDrawReferenceMap(mapserv->map);
if(image) {
- sprintf(buffer, "%s%sref%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+ snprintf(buffer, sizeof(buffer), "%s%sref%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
msFreeImage(image);
return MS_FALSE;
Modified: trunk/mapserver/maptemplate.h
===================================================================
--- trunk/mapserver/maptemplate.h 2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/maptemplate.h 2009-04-02 03:42:47 UTC (rev 8867)
@@ -33,7 +33,8 @@
#include "mapserver.h"
#include "maphash.h"
-#define IDSIZE 128
+#define IDPATTERN "^[0-9A-Za-z]{1,63}$"
+#define IDSIZE 64
#define TEMPLATE_TYPE(s) (((strncmp("http://", s, 7) == 0) || (strncmp("https://", s, 8) == 0) || (strncmp("ftp://", s, 6)) == 0) ? MS_URL : MS_FILE)
#define MAXZOOM 25
#define MINZOOM -25
More information about the mapserver-commits
mailing list