[mapserver-users] Mapserver Security
Steve Lime
Steve.Lime at dnr.state.mn.us
Tue Jul 28 11:25:26 PDT 2009
Problem with MS_MAPFILE_PATTERN is that if using it for the path part of a mapfile you
could use back references to get elsewhere. I imagine it's possible to craft a regex that
wouldn't allow '..' but it's not trivial (examples welcome!). Not allowing path'd mapfiles
at all is more restrictive and is certainly a goal of mine now when setting apps up.
I should add that we are very interested in security improvements so please let us know
if you run into issues or have ideas!
Steve
>>> On 7/28/2009 at 1:15 PM, in message <4A6F4053.6030408 at hostgis.com>, Gregor at
HostGIS <gregor at hostgis.com> wrote:
>> Latest versions of MapServer allow you to set an env variable called
>> MS_MAPFILE_PATTERN
>
> Holy cow!
>
>
>> SetEnv MS_MAP_NO_PATH 1
>> SetEnv WMS1_MAPFILE 'some path'
>> SetEnv WMS2_MAPFILE 'some other path'
>
> Wow! Wow!
>
> Super cool. I hadn't even heard of these. Thanks for the tip!
More information about the MapServer-users
mailing list