[mapserver-commits] r8805 - branches/branch-5-2/mapserver
svn at osgeo.org
svn at osgeo.org
Tue Mar 17 00:53:04 EDT 2009
Author: sdlime
Date: 2009-03-17 00:53:03 -0400 (Tue, 17 Mar 2009)
New Revision: 8805
Modified:
branches/branch-5-2/mapserver/cgiutil.c
branches/branch-5-2/mapserver/mapfile.c
branches/branch-5-2/mapserver/mapquery.c
branches/branch-5-2/mapserver/mapserv.c
branches/branch-5-2/mapserver/maptemplate.c
branches/branch-5-2/mapserver/maptemplate.h
Log:
Applied patches for several security problems identified in a recent audit of the CGI applciation. (#2939,#2941,#2942,#2943,#2944)
Modified: branches/branch-5-2/mapserver/cgiutil.c
===================================================================
--- branches/branch-5-2/mapserver/cgiutil.c 2009-03-17 00:57:08 UTC (rev 8804)
+++ branches/branch-5-2/mapserver/cgiutil.c 2009-03-17 04:53:03 UTC (rev 8805)
@@ -44,7 +44,8 @@
static char *readPostBody( cgiRequestObj *request )
{
char *data;
- int data_max, data_len, chunk_size;
+ unsigned int data_max, data_len;
+ int chunk_size;
msIO_needBinaryStdin();
@@ -52,11 +53,11 @@
/* If the length is provided, read in one gulp. */
/* -------------------------------------------------------------------- */
if( getenv("CONTENT_LENGTH") != NULL ) {
- data_max = atoi(getenv("CONTENT_LENGTH"));
+ data_max = (unsigned int) atoi(getenv("CONTENT_LENGTH"));
data = (char *) malloc(data_max+1);
if( data == NULL ) {
msIO_printf("Content-type: text/html%c%c",10,10);
- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", data_max );
+ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", data_max );
exit( 1 );
}
@@ -86,7 +87,7 @@
if( data == NULL ) {
msIO_printf("Content-type: text/html%c%c",10,10);
- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 );
+ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 );
exit(1);
}
}
Modified: branches/branch-5-2/mapserver/mapfile.c
===================================================================
--- branches/branch-5-2/mapserver/mapfile.c 2009-03-17 00:57:08 UTC (rev 8804)
+++ branches/branch-5-2/mapserver/mapfile.c 2009-03-17 04:53:03 UTC (rev 8805)
@@ -4355,11 +4355,20 @@
static int loadMapInternal(mapObj *map)
{
int i,j,k;
+ int foundMapToken=MS_FALSE;
+ int token;
for(;;) {
- switch(msyylex()) {
+ token = msyylex();
+ if(!foundMapToken && token != MAP) {
+ msSetError(MS_IDENTERR, "First token must be MAP, this doesn't look like a mapfile.", "msLoadMap()");
+ return(MS_FAILURE);
+ }
+
+ switch(token) {
+
case(CONFIG):
{
char *key=NULL, *value=NULL;
@@ -4485,7 +4494,8 @@
if(loadLegend(&(map->legend), map) == -1) return MS_FAILURE;
break;
case(MAP):
- break;
+ foundMapToken = MS_TRUE;
+ break;
case(MAXSIZE):
if(getInteger(&(map->maxsize)) == -1) return MS_FAILURE;
break;
@@ -4542,8 +4552,7 @@
if(loadWeb(&(map->web), map) == -1) return MS_FAILURE;
break;
default:
- msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "msLoadMap()",
- msyytext, msyylineno);
+ msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "msLoadMap()", msyytext, msyylineno);
return MS_FAILURE;
}
} /* next token */
Modified: branches/branch-5-2/mapserver/mapquery.c
===================================================================
--- branches/branch-5-2/mapserver/mapquery.c 2009-03-17 00:57:08 UTC (rev 8804)
+++ branches/branch-5-2/mapserver/mapquery.c 2009-03-17 04:53:03 UTC (rev 8805)
@@ -121,6 +121,11 @@
return(MS_FAILURE);
}
+ /*
+ ** Make sure the file at least has the right extension.
+ */
+ if(msEvalRegex("\\.qy$", filename) != MS_TRUE) return MS_FAILURE;
+
stream = fopen(filename, "rb");
if(!stream) {
msSetError(MS_IOERR, "(%s)", "msLoadQuery()", filename);
Modified: branches/branch-5-2/mapserver/mapserv.c
===================================================================
--- branches/branch-5-2/mapserver/mapserv.c 2009-03-17 00:57:08 UTC (rev 8804)
+++ branches/branch-5-2/mapserver/mapserv.c 2009-03-17 04:53:03 UTC (rev 8805)
@@ -403,6 +403,10 @@
}
if(strcasecmp(mapserv->request->ParamNames[i],"id") == 0) {
+ if(msEvalRegex(IDPATTERN, mapserv->request->ParamValues[i]) == MS_FALSE) {
+ msSetError(MS_WEBERR, "Parameter 'id' value fails to validate.", "loadMap()");
+ writeError();
+ }
strncpy(mapserv->Id, mapserv->request->ParamValues[i], IDSIZE);
continue;
}
@@ -1306,7 +1310,7 @@
loadForm();
if(mapserv->savemap) {
- sprintf(buffer, "%s%s%s.map", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id);
+ snprintf(buffer, 1024, "%s%s%s.map", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id);
if(msSaveMap(mapserv->map, buffer) == -1) writeError();
}
@@ -1780,7 +1784,7 @@
if(msReturnTemplateQuery(mapserv, mapserv->map->web.queryformat, NULL) != MS_SUCCESS) writeError();
if(mapserv->savequery) {
- sprintf(buffer, "%s%s%s%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_QUERY_EXTENSION);
+ snprintf(buffer, 1024, "%s%s%s%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_QUERY_EXTENSION);
if((status = msSaveQuery(mapserv->map, buffer)) != MS_SUCCESS) return status;
}
}
Modified: branches/branch-5-2/mapserver/maptemplate.c
===================================================================
--- branches/branch-5-2/mapserver/maptemplate.c 2009-03-17 00:57:08 UTC (rev 8804)
+++ branches/branch-5-2/mapserver/maptemplate.c 2009-03-17 04:53:03 UTC (rev 8805)
@@ -3848,7 +3848,7 @@
image = msDrawMap(mapserv->map, bQueryMap);
if(image) {
- sprintf(buffer, "%s%s%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+ snprintf(buffer, 1024, "%s%s%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
msFreeImage(image);
@@ -3864,7 +3864,7 @@
imageObj *image = NULL;
image = msDrawLegend(mapserv->map, MS_FALSE);
if(image) {
- sprintf(buffer, "%s%sleg%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+ snprintf(buffer, 1024, "%s%sleg%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
msFreeImage(image);
@@ -3880,7 +3880,7 @@
imageObj *image = NULL;
image = msDrawScalebar(mapserv->map);
if(image) {
- sprintf(buffer, "%s%ssb%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+ snprintf(buffer, 1024, "%s%ssb%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
msFreeImage(image);
return MS_FALSE;
@@ -3895,7 +3895,7 @@
imageObj *image;
image = msDrawReferenceMap(mapserv->map);
if(image) {
- sprintf(buffer, "%s%sref%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
+ snprintf(buffer, 1024, "%s%sref%s.%s", mapserv->map->web.imagepath, mapserv->map->name, mapserv->Id, MS_IMAGE_EXTENSION(mapserv->map->outputformat));
if(msSaveImage(mapserv->map, image, buffer) != MS_SUCCESS && bReturnOnError) {
msFreeImage(image);
return MS_FALSE;
Modified: branches/branch-5-2/mapserver/maptemplate.h
===================================================================
--- branches/branch-5-2/mapserver/maptemplate.h 2009-03-17 00:57:08 UTC (rev 8804)
+++ branches/branch-5-2/mapserver/maptemplate.h 2009-03-17 04:53:03 UTC (rev 8805)
@@ -33,7 +33,8 @@
#include "mapserver.h"
#include "maphash.h"
-#define IDSIZE 128
+#define IDPATTERN "^[0-9A-Za-z]{1,63}$"
+#define IDSIZE 64
#define TEMPLATE_TYPE(s) (((strncmp("http://", s, 7) == 0) || (strncmp("https://", s, 8) == 0) || (strncmp("ftp://", s, 6)) == 0) ? MS_URL : MS_FILE)
#define MAXZOOM 25
#define MINZOOM -25
More information about the mapserver-commits
mailing list