[Zoo-discuss] Security Advisory for MS4W users
Jeff McKenna
jmckenna at gatewaygeomatics.com
Wed Mar 31 13:01:19 PDT 2021
Dear ZOO monkeys, please see the message below for those running MS4W
(or MapServer on any operating system) on public-facing servers. thank-you.
-------- Forwarded Message --------
Hello everyone,
As the security of MS4W on your public-facing server is important,
please take some time to review the possible security steps to enable
for MS4W at:
https://ms4w.com/README_INSTALL.html#securing-your-ms4w-installation You
will notice MS4W examples, as well as instructions to use an online tool
for testing your MS4W instance.
As stated there, setting the *MS_MAP_PATTERN* environment variable is
strongly recommended for your server instance.
The past few weeks (and especially the past few days, which were full of
intense regular expression testing) I have been working with Steve Lime
closely and other MapServer steering committee members, to release the
security advisory for MapServer:
https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html
Future MS4W releases will likely be tighter, with definitely the popular
.exe installer setting & enabling the *MS_MAP_PATTERN* regular
expression on-the-fly, for new installations, as well as providing a few
default settings in the distributed Apache httpd.conf file.
MS4W security is my priority, always has been, and I hope the examples
and expressions that I provided in the MS4W readme above, help everyone
implement, and take some of the fear of expressions away.
Thank-you all.
--
Thank-you for using MS4W.
"MS4W: open doors as well as windows"
-jeff
--
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/
More information about the Zoo-discuss
mailing list