[mapserver-users] MapServer .map file security question
Stephen Woodbridge
woodbri at swoodbridge.com
Tue Feb 19 08:20:15 PST 2013
On 2/19/2013 10:45 AM, Mark Volz wrote:
> Hi,
>
> I have a server that I would like to run both internal and external applications on it. I know I can use apache to limit who can access internal web pages. However, is there any mechanism to stop an external user from drawing an internal actual .map file? For example, what would stop someone from changing the requested map from: http://myserver/cgi-bin/mapserv.exe?map=External.map. To: http://myserver/cgi-bin/mapserv.exe?map=Internal.map.
>
> I could see this as an issue if I want to enable wms.
One way would be to create a wrapper around mapserver for the internal
vs external connections, that prepends a path to the mapfile path like:
map=/external/$map
vs
map=/internal/$map
You would need to do some check of the path to clean something like:
../internal/...
The other thing you could do is run two instances of apache with
different uids and separate the internal and external file into separate
directories with filesystem perms that prevent external from accessing
the internal ones.
Lots of choices, at the system level, probably not that many in mapserver.
Probably the best thing is two separate servers, the internal on not
accessible from the external connection. Or maybe two virtual hosts on
one box?
-Steve W
More information about the mapserver-users
mailing list