[mapserver-users] Security Advisory – Limiting Mapfile Access
Jeff McKenna
jmckenna at gatewaygeomatics.com
Wed Mar 31 05:30:01 PDT 2021
All: please share the advisory in your networks:
https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html
-the MapServer PSC
On 2021-03-30 3:24 p.m., Steve Lime wrote:
> Hi all: This is an important reminder that, as part of a secure
> deployment, it is important to limit MapServer CGI access to mapfiles.
> The MapServer CGI has long supported the use of environment variables as
> a primary mechanism to do this. If you haven’t implemented these
> controls then that constitutes undue risk that is easily mitigated and
> we strongly encourage you to do so as soon as possible. It’s also a
> great time to review those settings if you already have them in place as
> we’ve recently updated regex examples related to MS_MAP_PATTERN to limit
> path traversal.
>
> Relevant documentation can be found at:
>
> * https://mapserver.org/optimization/limit_mapfile_access.html
> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Foptimization%2Flimit_mapfile_access.html&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622587147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nm9oinfRBIW6p2O2MWFa%2FEwSggN0OU75ITLisrSNXck%3D&reserved=0>
> * https://mapserver.org/environment_variables.html
> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fenvironment_variables.html%23environment-variables&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622597107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SU5H%2F0IKrina79Ts9X47fv8X3AHC0TRAwX2N4p3%2BOvA%3D&reserved=0>
>
> Please don’t hesitate to reach out with questions.
>
> --Steve
>
More information about the MapServer-users
mailing list