Opened 4 years ago
Closed 7 weeks ago
#333 closed task (fixed)
set default MS_MAP_BAD_PATTERN in Apache conf
| Reported by: | Jeff McKenna | Owned by: | Jeff McKenna |
|---|---|---|---|
| Priority: | blocker | Milestone: | 5.0.0 release |
| Component: | MS4W - Apache | Version: | 4.0.5 |
| Keywords: | Cc: | TC Haddad | |
| Blocked By: | Blocking: | #317 |
Description (last modified by )
- since MapServer 7.6.3, MapServer prevents MAP= directory traversing, and sets a hardcoded MS_MAP_BAD_PATTERN
- for the next MS4W release, Apache's httpd.conf must also contain a new default bad pattern, that specifically works with MS4W (and its PCRE regex library) :
SetEnv MS_MAP_BAD_PATTERN "[\/\\\\]{2}|[\/\\\\]?\.{2,}[\/\\\\]|,"
which allows /./ but not /../ or /.../
- otherwise a scary and tricky error message will be returned:
msCGILoadMap(): Web application error. CGI variable "map" fails to validate. msEvalRegex(): Regular expression error. Failed to compile expression ([/\]{2}|[/\]?\.+[/\]|,). - This should also be documented in the readme (ticket#317)
- it should also be documented that this can be disabled with:
SetEnv MS_MAP_BAD_PATTERN "false"
- MS_MAP_BAD_PATTERN should also be set inside setenv.bat
Change History (6)
comment:1 by , 4 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 4 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 4 years ago
| Description: | modified (diff) |
|---|
comment:4 by , 4 years ago
| Description: | modified (diff) |
|---|
comment:5 by , 3 years ago
| Milestone: | 4.1.0 release → 5.0.0 release |
|---|
comment:6 by , 7 weeks ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Available in the MS4W 5.0 release: https://ms4w.com/download.html
Note:
See TracTickets
for help on using tickets.
Milestone renamed