[mapserver-commits] r8867 - trunk/mapserver

svn at osgeo.org svn at osgeo.org
Wed Apr 1 23:42:48 EDT 2009


Author: sdlime
Date: 2009-04-01 23:42:47 -0400 (Wed, 01 Apr 2009)
New Revision: 8867

Modified:
   trunk/mapserver/cgiutil.c
   trunk/mapserver/mapfile.c
   trunk/mapserver/mapquery.c
   trunk/mapserver/mapserv.c
   trunk/mapserver/mapsymbol.c
   trunk/mapserver/maptemplate.c
   trunk/mapserver/maptemplate.h
Log:
Added security fixes for issues #2939, #2941, #2942, #2943, #2944.

Modified: trunk/mapserver/cgiutil.c
===================================================================
--- trunk/mapserver/cgiutil.c	2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/cgiutil.c	2009-04-02 03:42:47 UTC (rev 8867)
@@ -5,7 +5,7 @@
  * Purpose:  cgiRequestObj and CGI parameter parsing. 
  * Author:   Steve Lime and the MapServer team.
  *
- * Notes: Portions derived from NCSA HTTPd Server's example CGI programs (util.c). 
+ * Notes: Portions derived from NCSA HTTPd Server's example CGI programs (util.c).
  *
  ******************************************************************************
  * Copyright (c) 1996-2005 Regents of the University of Minnesota.
@@ -44,7 +44,8 @@
 static char *readPostBody( cgiRequestObj *request ) 
 {
   char *data; 
-  int data_max, data_len, chunk_size;
+  unsigned int data_max, data_len;
+  int chunk_size;
 
   msIO_needBinaryStdin();
 
@@ -52,11 +53,11 @@
   /*      If the length is provided, read in one gulp.                    */
   /* -------------------------------------------------------------------- */
   if( getenv("CONTENT_LENGTH") != NULL ) {
-    data_max = atoi(getenv("CONTENT_LENGTH"));
+    data_max = (unsigned int) atoi(getenv("CONTENT_LENGTH"));
     data = (char *) malloc(data_max+1);
     if( data == NULL ) {
       msIO_printf("Content-type: text/html%c%c",10,10);
-      msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", data_max );
+      msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", data_max );
       exit( 1 );
     }
 
@@ -86,7 +87,7 @@
 
       if( data == NULL ) {
         msIO_printf("Content-type: text/html%c%c",10,10);
-        msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 );
+        msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 );
         exit(1);
       }
     }

Modified: trunk/mapserver/mapfile.c
===================================================================
--- trunk/mapserver/mapfile.c	2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/mapfile.c	2009-04-02 03:42:47 UTC (rev 8867)
@@ -4710,11 +4710,20 @@
 static int loadMapInternal(mapObj *map)
 {
   int i,j,k;
+  int foundMapToken=MS_FALSE; 
+  int token; 
 
   for(;;) {
 
-    switch(msyylex()) {   
+    token = msyylex(); 
 
+    if(!foundMapToken && token != MAP) { 
+      msSetError(MS_IDENTERR, "First token must be MAP, this doesn't look like a mapfile.", "msLoadMap()"); 
+      return(MS_FAILURE); 
+    }
+
+    switch(token) {
+
     case(CONFIG):
     {
         char *key=NULL, *value=NULL;
@@ -4840,6 +4849,7 @@
       if(loadLegend(&(map->legend), map) == -1) return MS_FAILURE;
       break;
     case(MAP):
+      foundMapToken = MS_TRUE;
       break;   
     case(MAXSIZE):
       if(getInteger(&(map->maxsize)) == -1) return MS_FAILURE;
@@ -4900,8 +4910,7 @@
       if(loadWeb(&(map->web), map) == -1) return MS_FAILURE;
       break;
     default:
-      msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "msLoadMap()", 
-                 msyytext, msyylineno);
+      msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "msLoadMap()", msyytext, msyylineno);
       return MS_FAILURE;
     }
   } /* next token */

Modified: trunk/mapserver/mapquery.c
===================================================================
--- trunk/mapserver/mapquery.c	2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/mapquery.c	2009-04-02 03:42:47 UTC (rev 8867)
@@ -121,6 +121,11 @@
     return(MS_FAILURE);
   }
 
+  /* 
+  ** Make sure the file at least has the right extension. 
+  */ 
+  if(msEvalRegex("\\.qy$", filename) != MS_TRUE) return MS_FAILURE; 
+
   stream = fopen(filename, "rb");
   if(!stream) {
     msSetError(MS_IOERR, "(%s)", "msLoadQuery()", filename);

Modified: trunk/mapserver/mapserv.c
===================================================================
--- trunk/mapserver/mapserv.c	2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/mapserv.c	2009-04-02 03:42:47 UTC (rev 8867)
@@ -403,6 +403,10 @@
     }
 
     if(strcasecmp(mapserv->request->ParamNames[i],"id") == 0) {
+      if(msEvalRegex(IDPATTERN, mapserv->request->ParamValues[i]) == MS_FALSE) { 
+	msSetError(MS_WEBERR, "Parameter 'id' value fails to validate.", "loadForm()"); 
+	writeError(); 
+      }
       strncpy(mapserv->Id, mapserv->request->ParamValues[i], IDSIZE);
       continue;
     }
@@ -1308,7 +1312,7 @@
     loadForm();
  
     if(mapserv->savemap) {
-      sprintf(buffer, "%s%s%s.map", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id);
+      snprintf(buffer, sizeof(buffer), "%s%s%s.map", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id);
       if(msSaveMap(mapserv->map, buffer) == -1) writeError();
     }
 
@@ -1776,7 +1780,7 @@
         if(msReturnTemplateQuery(mapserv, mapserv->map->web.queryformat, NULL) != MS_SUCCESS) writeError();
           
         if(mapserv->savequery) {
-          sprintf(buffer, "%s%s%s%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_QUERY_EXTENSION);
+          snprintf(buffer, sizeof(buffer), "%s%s%s%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_QUERY_EXTENSION);
           if((status = msSaveQuery(mapserv->map, buffer)) != MS_SUCCESS) return status;
         }
       }

Modified: trunk/mapserver/mapsymbol.c
===================================================================
--- trunk/mapserver/mapsymbol.c	2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/mapsymbol.c	2009-04-02 03:42:47 UTC (rev 8867)
@@ -631,11 +631,12 @@
 
 int loadSymbolSet(symbolSetObj *symbolset, mapObj *map)
 {
-/* char old_path[MS_PATH_LENGTH]; */
-/* char *symbol_path; */
   int status=1;
   char szPath[MS_MAXPATHLEN], *pszSymbolPath=NULL;
 
+  int foundSymbolSetToken=MS_FALSE; 
+  int token;
+
   if(!symbolset) {
     msSetError(MS_SYMERR, "Symbol structure unallocated.", "loadSymbolSet()");
     return(-1);
@@ -662,7 +663,14 @@
   ** Read the symbol file
   */
   for(;;) {
-    switch(msyylex()) {
+    token = msyylex(); 
+
+    if(!foundSymbolSetToken && token != SYMBOLSET) { 
+      msSetError(MS_IDENTERR, "First token must be SYMBOLSET, this doesn't look like a symbol file.", "msLoadSymbolSet()"); 
+      return(-1); 
+    }
+
+    switch(token) {
     case(END):
     case(EOF):      
       status = 0;
@@ -678,6 +686,7 @@
           symbolset->numsymbols++;
       break;
     case(SYMBOLSET):
+      foundSymbolSetToken = MS_TRUE;
       break;
     default:
       msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "loadSymbolSet()", msyytext, msyylineno);

Modified: trunk/mapserver/maptemplate.c
===================================================================
--- trunk/mapserver/maptemplate.c	2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/maptemplate.c	2009-04-02 03:42:47 UTC (rev 8867)
@@ -3858,7 +3858,7 @@
       image = msDrawMap(mapserv->map, bQueryMap);
 
       if(image) { 
-        sprintf(buffer, "%s%s%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+        snprintf(buffer, sizeof(buffer), "%s%s%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
 
         if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
           msFreeImage(image);
@@ -3874,7 +3874,7 @@
       imageObj *image = NULL;
       image = msDrawLegend(mapserv->map, MS_FALSE);
       if(image) { 
-        sprintf(buffer, "%s%sleg%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+        snprintf(buffer, sizeof(buffer), "%s%sleg%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
                 
         if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
           msFreeImage(image);
@@ -3890,7 +3890,7 @@
       imageObj *image = NULL;
       image = msDrawScalebar(mapserv->map);
       if(image) {
-        sprintf(buffer, "%s%ssb%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+        snprintf(buffer, sizeof(buffer), "%s%ssb%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
         if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
           msFreeImage(image);
           return MS_FALSE;
@@ -3905,7 +3905,7 @@
       imageObj *image;
       image = msDrawReferenceMap(mapserv->map);
       if(image) { 
-        sprintf(buffer, "%s%sref%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+        snprintf(buffer, sizeof(buffer), "%s%sref%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
         if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
           msFreeImage(image);
           return MS_FALSE;

Modified: trunk/mapserver/maptemplate.h
===================================================================
--- trunk/mapserver/maptemplate.h	2009-04-02 01:39:06 UTC (rev 8866)
+++ trunk/mapserver/maptemplate.h	2009-04-02 03:42:47 UTC (rev 8867)
@@ -33,7 +33,8 @@
 #include "mapserver.h"
 #include "maphash.h"
 
-#define IDSIZE 128
+#define IDPATTERN "^[0-9A-Za-z]{1,63}$"
+#define IDSIZE 64
 #define TEMPLATE_TYPE(s)  (((strncmp("http://", s, 7) == 0) || (strncmp("https://", s, 8) == 0) || (strncmp("ftp://", s, 6)) == 0)  ? MS_URL : MS_FILE)
 #define MAXZOOM 25
 #define MINZOOM -25



More information about the mapserver-commits mailing list