[mapserver-dev] Re: MapServer security issue

Steve Lime steve.lime at dnr.state.mn.us
Mon Nov 18 13:31:27 EST 2002

Too much running through my head these days. Can you sum up the map
hole? I tried wading through this thread and thought I'd just ask. At
the moment
you can set a mapfile by:

  - setting the MS_MAPFILE env variable
  - setting parameter map to some file
  - setting parameter map to some env variable (i.e. COMPASS_MAPFILE)

In any case, the file name is checked against a regex and that file is
never returned
to the user. I use the last option all the time to hide mapfile
locations and to make
application management easier.


Stephen Lime
Data & Applications Manager

Minnesota DNR
500 Lafayette Road
St. Paul, MN 55155

>>> Jan Hartmann <jhart at frw.uva.nl> 11/16/02 08:13AM >>>
On second thougthts:

To allow for multiple MapFiles to be accessed from URL's, MS_MAPFILE 
could be a colon-separated list of allowed mapfiles 
(file1:file2:file3:...). Each of those could be accessed via the normal

?map=mapfile.parameter. The first one could be the default map. Coming

to think of it, you could just as well do this with a regex. And to 
protect people against themselves, you could make MS_MAPFILE


Jan Hartmann wrote:
> Just one final loophole, mentioned by Daniel: the mapfile from the 
> calling URL. This can come anywhere in the filesystem and you cannot

> shield that with a regular expression within the mapfile (would be 
> circular, wouldn't it?). His solution (adding an environment variable

> MS_MAPFILE that can override the map-URL parameter) looks fine to

More information about the mapserver-dev mailing list