[mapserver-dev] Question about the bad mapfile pattern (vulnerability) check
    Tamas Szekeres 
    szekerest at gmail.com
       
    Thu Feb 10 02:34:31 PST 2022
    
    
  
Hi Developers,
I noticed that the double back slashes are excluded from the accepted
mapfile pattern in one of the commits not too long ago according to
security vulnerability reasons. The bad patten regex is now looking like:
const char *ms_map_bad_pattern_default = "[/\\]{2}|[/\\]?\\.+[/\\]|,";
Do we have a specific reason why we don't accept the double back slashes at
the beginning of the mapfile path? This normally refers to a network share
which is considered to be an absolute path, and our use cases are working
like that extensively. I guess we wanted to exclude the relative paths
basically, but it seems not to be that case.
I'm also wondering if the double forward slashes at the beginning makes
much sense to exclude, since I think that is treated as a single forward
slash in the unix like systems which is normally accepted.
Thanks,
Tamas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20220210/0bdc0da9/attachment.html>
    
    
More information about the MapServer-dev
mailing list