id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	blockedby	blocking
333	set default MS_MAP_BAD_PATTERN in Apache conf	Jeff McKenna	Jeff McKenna	"- since !MapServer 7.6.3, !MapServer prevents MAP= directory traversing, and sets a hardcoded MS_MAP_BAD_PATTERN
- for the next MS4W release, Apache's httpd.conf must also contain a new default bad pattern, that specifically works with MS4W (and its PCRE regex library) :
{{{
  SetEnv MS_MAP_BAD_PATTERN ""[\/\\\\]{2}|[\/\\\\]?\.{2,}[\/\\\\]|,""
}}}
which allows /./ but not /../ or /.../
* otherwise a scary and tricky error message will be returned:
{{{
  msCGILoadMap(): Web application error. CGI variable ""map"" fails to validate. msEvalRegex(): Regular expression error. Failed to compile expression ([/\]{2}|[/\]?\.+[/\]|,). 
}}}
* This should also be documented in the readme (ticket#317)
* it should also be  documented that this can be disabled with:
{{{
  SetEnv MS_MAP_BAD_PATTERN ""false""
}}}"	task	new	blocker	4.1.0 release	MS4W - Apache	4.0.5			TC Haddad		317