[mapserver-dev] Question about the bad mapfile pattern (vulnerability) check
Jeff McKenna
jmckenna at gatewaygeomatics.com
Sat Feb 26 06:52:10 PST 2022
Sharing my thoughts on this also (after the initial dust has settled),
that now would be a good time to:
- since we now have a required config file, remove the hardcoded
MS_MAP_BAD_PATTERN from mapservutil.c (as it fails on PCRE regex, and
most users have no access to that file anyway) and enable it in the
shared config file
- (as I tried mentioning in the recent ticket) throw a meaningful error
if the user does not specifically set both MS_MAP_PATTERN and
MS_MAP_BAD_PATTERN
- therefore set a default MS_MAP_PATTERN and MS_MAP_BAD_PATTERN in the
shared config file
thanks,
-jeff
On 2022-02-25 6:51 p.m., Steve Lime wrote:
>
> Thinking about this more for 8.0. Since MS_MAP_PATTERN is required now
> (via config file), perhaps the default value for MS_MAP_BAD_PATTERN can
> just limit back references...
More information about the MapServer-dev
mailing list