[mapserver-dev] Re: MapServer security issue

Jan Hartmann jhart at frw.uva.nl
Sat Nov 16 09:13:14 EST 2002

On second thougthts:

To allow for multiple MapFiles to be accessed from URL's, MS_MAPFILE 
could be a colon-separated list of allowed mapfiles 
(file1:file2:file3:...). Each of those could be accessed via the normal 
?map=mapfile.parameter. The first one could be the default map. Coming 
to think of it, you could just as well do this with a regex. And to 
protect people against themselves, you could make MS_MAPFILE obligatory.


Jan Hartmann wrote:
> Just one final loophole, mentioned by Daniel: the mapfile from the 
> calling URL. This can come anywhere in the filesystem and you cannot 
> shield that with a regular expression within the mapfile (would be 
> circular, wouldn't it?). His solution (adding an environment variable 
> MS_MAPFILE that can override the map-URL parameter) looks fine to me.

More information about the mapserver-dev mailing list