[mapserver-dev] Re: MapServer security issue

Tomas Krecmer tokr at tmapy.cz
Tue Nov 5 09:51:57 EST 2002

> There are actually other vulnerabilities that I will not disclose to
> this list for obvious reasons.  What do other developers think?
> Some options that come to mind are:
> - Have the ability to compile MapServer in a "safe" mode where no
> filename can be changed via the URL... actually this could be the
> default starting with 3.7, and a special option would be required in
> order to enable changing things like data paths in a URL
> - Modify MapServer to limit a mapfile to a given set of
> sub-directories... this could be handled via the new msBuildPath()
> function that is used everywhere in version 3.7 to access files. 
> However there are always chances that we could overlook one place or
> another and leave a hole open.  (You have to think about database
> connections or other parameters not stored as filenames)
> - Another safety feature would be to disable the use of the 'map=...'
> parameter in the URL when the MS_MAPFILE environment variable is set. 
> In the current implementation if MS_MAPFILE is set then it is still
> possible to override its value with the map=... parameter in the URL.
> Any other suggestion?

There is also another good place for this setting: a MAP file itself. 
There could be a variables


The default setting for DYNAMIC_LAYERS would be in the environment 
variable or in the configuration file mapserver.ini for all mapserver 
projects. It could contains default SYMBOLSET, UNITS, ... (maybe all MAP 
Objects parameters). It would have the same logic as the php.ini file 
for PHP.


Tomas Krecmer, tokr at tmapy.cz
T-Mapy spol. s r. o., Nezvalova 850, 500 03 Hradec Kralove,
Czech Republic, phone: + 420 49 5513335 , fax + 420 49 5513371

More information about the mapserver-dev mailing list