[mapserver-users] CGI variable "map" fails to validate.

Steve Lime sdlime at gmail.com
Thu Jun 3 07:46:50 PDT 2021 

I should note that 7.6.3 (also 7.4.5, 7.2.3 and 7.0.8) should make defining
a value for MS_MAP_PATTERN much simpler. We updated things to use two
filters instead of one. The first, MS_MAP_BAD_PATTERN, checks for
problematic character sequences in the map value, for example /./, /../ or
// and fails if there is a match. This means you don't have to account for
those with MS_MAP_PATTERN alone and you can just write something simple
like:

  MS_MAP_PATTERN "^\/etc\/mapserver"

You need to be running the latest version for this to work as intended and
of course that's strongly recommended.

--Steve


On Thu, Jun 3, 2021 at 8:12 AM Jeff McKenna via mapserver-users <
mapserver-users at lists.osgeo.org> wrote:

> Hi David,
>
> MS4W also uses PCRE for its regex engine, so Windows users will soon be
> facing these same issues as you (I'll be making this as easy as possible
> for the new Windows users).
>
> So to answer your question: I believe most users aren't yet aware of
> what regex engine they use, and, also I believe that the PCRE regex
> engine is used more frequently in the MapServer community than what is
> believed.  (most automated tests do not use PCRE, for example, even
> though it is so commonly used)
>
> I'm not sure if I have the answer that you need, but I wanted to give a
> perspective from the Windows side.
>
> -jeff
>
>
> --
> Jeff McKenna
> GatewayGeo: Developers of MS4W, MapServer Consulting and Training
> co-founder of FOSS4G
> http://gatewaygeo.com/
>
>
>
> On 2021-06-03 9:29 a.m., David Pavlíček via mapserver-users wrote:
> > Hi Steve,
> > your pattern works like a charm... escaped hyphen was the issue. I
> > tested the previous regex with regex101.com <http://regex101.com> and
> it
> > matches with no problems against most of the available variants except
> > PCRE. Which regex engine is suitable for a test against MapServer?
> >
> > Thank you.
> >
> > st 2. 6. 2021 v 15:16 odesílatel Steve Lime <sdlime at gmail.com
> > <mailto:sdlime at gmail.com>> napsal:
> >
> >     Hi David: Presumably the Docker image is running the most recent
> >     version of 7.4 which would have that pull request applied. That
> >     said, I don't think it's the culprit here and I have seen some
> >     issues with -'s where the MS_MAP_PATTERN expression compiles fine
> >     but doesn't match as expected. Re-writing the expression to move the
> >     - character can help. Try this:
> >
> >
> >
>  MS_MAP_PATTERN=^\/etc\/mapserver\/([^\.][-_A-Za-z0-9\.]+\/{1})*([-_A-Za-z0-9\.]+\.map)$
> >
> >     --Steve
> >
> >     On Wed, Jun 2, 2021 at 3:07 AM David Pavlíček via mapserver-users
> >     <mapserver-users at lists.osgeo.org
> >     <mailto:mapserver-users at lists.osgeo.org>> wrote:
> >
> >         Hello,
> >         I'm using camptocamp/mapserver:7.4 docker image to run mapserver
> >         on our servers and I have recently encountered this error:
> >
> >         [warn] [pid 25] mod_fcgid: stderr: msCGILoadMap(): Web
> >         application error. CGI variable "map" fails to validate.
> >         2098 - 172.17.0.1 - - [02/Jun/2021:04:57:42 +0000] "GET
> >
>  /?map=/etc/mapserver/puobod/krpk-puobod-red.map&request=getcapabilities&service=WMS"
> >
> >         In fact, any mapfile with hyphens won't work. They fail against
> >         MS_MAP_PATTERN regex or something. This is strange because I
> >         tested this regex and it works fine. Container MS ENV variables
> >         look like this:
> >
> >         MS_ERRORFILE=stderr
> >
>  MS_MAP_PATTERN=^\/etc\/mapserver\/([^\.][_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.map)$
> >         MS_DEBUGLEVEL=0
> >         MS_MAPFILE=/etc/mapserver/mapserver.map
> >
> >         Maybe something related to this PR:
> >         https://github.com/MapServer/MapServer/pull/6314
> >         <https://github.com/MapServer/MapServer/pull/6314>
> >
> >         Any suggestions about that? Renaming project is not an option
> >         because they are referenced in many places outside of our direct
> >         reach (GIS clients, servers, etc)
> >
> >         Thanks, David
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20210603/4f44fe6f/attachment.html>

More information about the mapserver-users mailing list