[mapserver-dev] Security Advisory – Limiting Mapfile Access
Steve Lime
sdlime at gmail.com
Tue Mar 30 11:24:54 PDT 2021
Hi all: This is an important reminder that, as part of a secure deployment,
it is important to limit MapServer CGI access to mapfiles. The MapServer
CGI has long supported the use of environment variables as a primary
mechanism to do this. If you haven’t implemented these controls then that
constitutes undue risk that is easily mitigated and we strongly encourage
you to do so as soon as possible. It’s also a great time to review those
settings if you already have them in place as we’ve recently updated regex
examples related to MS_MAP_PATTERN to limit path traversal.
Relevant documentation can be found at:
- https://mapserver.org/optimization/limit_mapfile_access.html
<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Foptimization%2Flimit_mapfile_access.html&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622587147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nm9oinfRBIW6p2O2MWFa%2FEwSggN0OU75ITLisrSNXck%3D&reserved=0>
- https://mapserver.org/environment_variables.html
<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fenvironment_variables.html%23environment-variables&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622597107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SU5H%2F0IKrina79Ts9X47fv8X3AHC0TRAwX2N4p3%2BOvA%3D&reserved=0>
Please don’t hesitate to reach out with questions.
--Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210330/ea3ff86a/attachment.html>
More information about the mapserver-dev
mailing list