Opened 5 weeks ago

Last modified 5 weeks ago

#333 new task

set default MS_MAP_BAD_PATTERN in Apache conf

Reported by: Jeff McKenna Owned by: Jeff McKenna
Priority: blocker Milestone: 4.1.0 release
Component: MS4W - Apache Version: 4.0.5
Keywords: Cc: TC Haddad
Blocked By: Blocking: #317

Description (last modified by Jeff McKenna)

  • since MapServer 7.6.3, MapServer prevents MAP= directory traversing, and sets a hardcoded MS_MAP_BAD_PATTERN
  • for the next MS4W release, Apache's httpd.conf must also contain a new default bad pattern, that specifically works with MS4W (and its PCRE regex library) :
      SetEnv MS_MAP_BAD_PATTERN "[\/\\\\]{2}|[\/\\\\]?\.{2,}[\/\\\\]|,"
    

which allows /./ but not /../ or /.../

  • otherwise a scary and tricky error message will be returned:
      msCGILoadMap(): Web application error. CGI variable "map" fails to validate. msEvalRegex(): Regular expression error. Failed to compile expression ([/\]{2}|[/\]?\.+[/\]|,). 
    
  • This should also be documented in the readme (ticket#317)
  • it should also be documented that this can be disabled with:
      SetEnv MS_MAP_BAD_PATTERN "false"
    
  • MS_MAP_BAD_PATTERN should also be set inside setenv.bat

Change History (4)

comment:1 by Jeff McKenna, 5 weeks ago

Description: modified (diff)

comment:2 by Jeff McKenna, 5 weeks ago

Description: modified (diff)

comment:3 by Jeff McKenna, 5 weeks ago

Description: modified (diff)

comment:4 by Jeff McKenna, 5 weeks ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.