Opened 4 years ago
Last modified 4 months ago
#333 closed task
set default MS_MAP_BAD_PATTERN in Apache conf — at Initial Version
| Reported by: | Jeff McKenna | Owned by: | Jeff McKenna |
|---|---|---|---|
| Priority: | blocker | Milestone: | 5.0.0 release |
| Component: | MS4W - Apache | Version: | 4.0.5 |
| Keywords: | Cc: | TC Haddad | |
| Blocked By: | Blocking: | #317 |
Description
- since MapServer 7.6.3, MapServer prevents MAP= directory traversing, and sets a hardcoded MS_MAP_BAD_PATTERN
- for the next MS4W release, Apache's httpd.conf must also contain a new default bad pattern, that specifically works with MS4W:
SetEnv MS_MAP_BAD_PATTERN "[\/\\\\]{2}|[\/\\\\]?\.{2,}[\/\\\\]|,"
which allows /./ but not /../ or /.../
- otherwise a scary and tricky error message will be returned:
msCGILoadMap(): Web application error. CGI variable "map" fails to validate. msEvalRegex(): Regular expression error. Failed to compile expression ([/\]{2}|[/\]?\.+[/\]|,). - This should also be documented in the readme (ticket#317)
Note:
See TracTickets
for help on using tickets.
