[mapserver-dev] Re: MapServer security issue
Jan Hartmann
jhart at frw.uva.nl
Sat Nov 16 09:13:14 EST 2002
On second thougthts:
To allow for multiple MapFiles to be accessed from URL's, MS_MAPFILE
could be a colon-separated list of allowed mapfiles
(file1:file2:file3:...). Each of those could be accessed via the normal
?map=mapfile.parameter. The first one could be the default map. Coming
to think of it, you could just as well do this with a regex. And to
protect people against themselves, you could make MS_MAPFILE obligatory.
Jan
Jan Hartmann wrote:
>
> Just one final loophole, mentioned by Daniel: the mapfile from the
> calling URL. This can come anywhere in the filesystem and you cannot
> shield that with a regular expression within the mapfile (would be
> circular, wouldn't it?). His solution (adding an environment variable
> MS_MAPFILE that can override the map-URL parameter) looks fine to me.
More information about the mapserver-dev
mailing list