Opened 3 years ago
Last modified 3 years ago
#333 new task
set default MS_MAP_BAD_PATTERN in Apache conf — at Version 3
| Reported by: | Jeff McKenna | Owned by: | Jeff McKenna |
|---|---|---|---|
| Priority: | blocker | Milestone: | 5.0.0 release |
| Component: | MS4W - Apache | Version: | 4.0.5 |
| Keywords: | Cc: | TC Haddad | |
| Blocked By: | Blocking: | #317 |
Description (last modified by )
- since MapServer 7.6.3, MapServer prevents MAP= directory traversing, and sets a hardcoded MS_MAP_BAD_PATTERN
- for the next MS4W release, Apache's httpd.conf must also contain a new default bad pattern, that specifically works with MS4W (and its PCRE regex library) :
SetEnv MS_MAP_BAD_PATTERN "[\/\\\\]{2}|[\/\\\\]?\.{2,}[\/\\\\]|,"
which allows /./ but not /../ or /.../
- otherwise a scary and tricky error message will be returned:
msCGILoadMap(): Web application error. CGI variable "map" fails to validate. msEvalRegex(): Regular expression error. Failed to compile expression ([/\]{2}|[/\]?\.+[/\]|,). - This should also be documented in the readme (ticket#317)
- it should also be documented that this can be disabled with:
SetEnv MS_MAP_BAD_PATTERN "false"
- This should also be set inside setenv.bat
Change History (3)
comment:1 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 3 years ago
| Description: | modified (diff) |
|---|
Note:
See TracTickets
for help on using tickets.
