[mapserver-users] Security Advisory – Limiting Mapfile Access

[Jeff McKenna]

All: please share the advisory in your networks: 
https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html

-the MapServer PSC



On 2021-03-30 3:24 p.m., Steve Lime wrote:
> Hi all: This is an important reminder that, as part of a secure 
> deployment, it is important to limit MapServer CGI access to mapfiles. 
> The MapServer CGI has long supported the use of environment variables as 
> a primary mechanism to do this. If you haven’t implemented these 
> controls then that constitutes undue risk that is easily mitigated and 
> we strongly encourage you to do so as soon as possible. It’s also a 
> great time to review those settings if you already have them in place as 
> we’ve recently updated regex examples related to MS_MAP_PATTERN to limit 
> path traversal.
> 
> Relevant documentation can be found at:
> 
>   * https://mapserver.org/optimization/limit_mapfile_access.html
>     <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Foptimization%2Flimit_mapfile_access.html&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622587147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nm9oinfRBIW6p2O2MWFa%2FEwSggN0OU75ITLisrSNXck%3D&reserved=0>
>   * https://mapserver.org/environment_variables.html
>     <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fenvironment_variables.html%23environment-variables&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622597107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SU5H%2F0IKrina79Ts9X47fv8X3AHC0TRAwX2N4p3%2BOvA%3D&reserved=0>
> 
> Please don’t hesitate to reach out with questions.
> 
> --Steve
>