[mapserver-users] MapServer .map file security question

Lime, Steve D (MNIT) Steve.Lime at state.mn.us
Tue Feb 19 08:17:45 PST 2013


It's tricky though using the same webserver instance. If you have separate instances (e.g. different ports, names or whatever) on the same box you can use the MS_MAP_PATTERN environment variable (given as a regex) to restrict allowable mapfile patterns. If you had in separate directories (e.g. internal/appname/foo.map and external/appname/foo.map) you could limit things that way too. Be careful though because back references (../../..) can be hard to catch.

Steve  

-----Original Message-----
From: mapserver-users-bounces at lists.osgeo.org [mailto:mapserver-users-bounces at lists.osgeo.org] On Behalf Of Jörg Thomsen
Sent: Tuesday, February 19, 2013 10:04 AM
To: mapserver-users at lists.osgeo.org
Subject: Re: [mapserver-users] MapServer .map file security question

Hello Mark,

have a look at
http://mapserver.org/ogc/wms_server.html#changing-the-online-resource-url

If using 'Apache SetEnvIf' you could redirect to different cgi-directories and there use allow-from / deny-from rules.

Regards, Jörg

Am 19.02.2013 16:45, schrieb Mark Volz:
> Hi,
> 
> I have a server that I would like to run both internal and external applications on it.  I know I can use apache to limit who can access internal web pages.  However, is there any mechanism to stop an external user from drawing an internal actual .map file?  For example, what would stop someone from changing the requested map from: http://myserver/cgi-bin/mapserv.exe?map=External.map.  To:  http://myserver/cgi-bin/mapserv.exe?map=Internal.map.
> 
> I could see this as an issue if I want to enable wms.
> 
> Thanks
>  
> Mark Volz
> GIS Specialist
> 
> 
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-users
> 

_______________________________________________
mapserver-users mailing list
mapserver-users at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users





More information about the MapServer-users mailing list