[mapserver-dev] [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS (mapcache)
Daniel Morissette
dmorissette at mapgears.com
Mon Aug 7 09:50:34 PDT 2017
Would it not be sufficient to HTML-encode the values before sending them
out? In this case, the "-->" would become "-->" which would fix the
vulnerability. We use msEncodeHTMLEntities() for this in mapserv:
https://github.com/mapserver/mapserver/blob/branch-7-0/mapstring.c#L1225
Daniel
On 2017-08-07 12:47 PM, Lime, Steve D (MNIT) wrote:
> Moving to just mapserver-dev… I’m guessing Thomas is traveling, bummer.
> I suppose we could look at the instances and see if there really is
> value in returning the user value and then make the decision on approach.
>
> *From:*Even Rouault [mailto:even.rouault at spatialys.com]
> *Sent:* Monday, August 07, 2017 11:14 AM
> *To:* mapserver-dev at lists.osgeo.org
> *Cc:* Lime, Steve D (MNIT) <steve.lime at state.mn.us>; Jeff McKenna
> <jmckenna at gatewaygeomatics.com>; mapserver-users at lists.osgeo.org
> *Subject:* Re: [mapserver-dev] [mapserver-users] XSS vulnerability on
> the 'layer' parameter of WMTS (mapcache)
>
> On lundi 7 août 2017 15:20:01 CEST Lime, Steve D (MNIT) wrote:
>
>> I'd favor the more simple and safer approach. It's not that difficult for
>
>> the user to validate the layers requested against the GetCapabilties
>
>> response. MapServer itself does not return the name of the invalid layer,
>
>> presumably for the exact same reason. Instead you get
>
>> "msWMSLoadGetMapParams(): WMS server error. Invalid layer(s) given in the
>
>> LAYERS parameter. A layer might be disabled for this request. Check
>
>> wms/ows_enable_request settings.".
>
> Agreed. I guess Jeff's remark was perhaps if the client software sends a
> lot of requests and it is not very convenient to match the responses
> with the queries which have been fired. For a single request,
> re-emitting the value in the response exception doesn't bring much,
> because the user knows what it has requested.
>
>> Even, would you be willing to prepare a patch?
>
> I can. I would have been interested in hearing Thomas' opinion, but
> given the period of the year he might not been reading us.
>
> I've researched how to safely "escape" arbitrary user data input for
> inclusion inside <-- --> markers, but couldn't find any solid reference
> (probably rejeting "--" should be sufficient ?). As there's one function
> per protocol where error messages are formatted, the sanitizing could
> potentially be centralized there, which would reduce the amount of
> changes. The simpler approach I talked about is simpler indeed but
> requires to identify all the places where a user value is returned in an
> error message ( mostly grepping for a "%s" in a set_error() call ) : not
> hard, but with a slight chance of missing something.
>
> Even
>
> --
>
> Spatialys - Geospatial professional services
>
> http://www.spatialys.com
>
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
--
Daniel Morissette
Mapgears Inc
T: +1 418-696-5056 #201
More information about the mapserver-dev
mailing list