Limit Mapfile Access

Author

Stephen Lime

Contact

sdlime at gmail.com

Author

Jeff McKenna

Contact

jmckenna at gatewaygeomatics.com

Last Updated

2021-06-03

The MapServer CGI, by default, will happily attempt to process any mapfile it is asked to. While this might be desireable in a development environment, it is not acceptable for public-facing installations. MapServer supports the use of specific environment variables, set at the web server tier, to limit access. Since the MapServer 7.6.3 release, you are required to use (a combination of) these environment variables to secure your installation; for earlier MapServer versions these environment variables are strongly recommended.

Avvertimento

The vulnerability CVE-2021-32062 was fixed through the MapServer 7.6.3 release, through requiring the use of the environment variables described in this MapServer document.

Nota

Environment variables are only referenced by the MapServer CGI and are not used by MapScript in any way.

Key Environment Variables

Vedi anche

Associated Pull Request for the 7.6.3 release

Suggerimento

The online tools RegExr & RegEx101 are great for testing regular expressions.

MS_MAP_BAD_PATTERN

Nuovo nella versione 7.6.3.

If set, this environment variable is interpreted as regular expression that is used to test the value of the CGI map parameter, by specifying which problematic character sequences to avoid. If the value matches then an error is generated. By default all MapServer installations (since 7.6.3) set a hardcoded value for MS_MAP_BAD_PATTERN of:

[/\\]{2}|[/\\]?\\.+[/\\]|,

which will therefore not allow «/../» or «//» in the map value.

Nota

For Windows users, MS4W uses the PCRE regex library (which requires a slightly different regex syntax), so all future MS4W releases will contain the following default MS_MAP_BAD_PATTERN enabled (to not allow «/../» or «//» in the map value) :

[\/\\\\]{2}|[\/\\\\]?\.{2,}[\/\\\\]|,

For more information see Securing your MS4W Installation

MS_MAP_NO_PATH

Nuovo nella versione 5.4.0.

If set, this environment variable limits values for the CGI map parameter to a curated (prepared) set of mapfiles explicitly defined by additional environment variables. This is the recommended way to secure mapfile access if at all possible.

Nota

Mapfile-based environment variables (such as MS_MAPFILE) can be used without setting MS_MAP_NO_PATH.

MS_MAP_PATTERN

Nuovo nella versione 5.4.0.

If set, this environment variable is interpreted as regular expression that is used to test the value of the CGI map parameter. If the value does not match then an error is generated.

Care must be taken to craft regular expressions that limit access to specific, trusted directories and limit path traversal:. See the Environment Variables guide for examples.

Nota

If defined, the MS_MAP_PATTERN variable only applies to mapfiles not already defined through an environment variable.

Setting Environment Variables

Mechanisms to set environment variables vary from web server to web server, but all provide the capability. (regular expression feature sets can vary by operating system and version)

  • Apache - https://httpd.apache.org/docs/current/env.html

    Apache’s SetEnv directive (available through the mod_env module) allows you to set environment variables in the Apache conf file with a single command:

    • Unix users may set the following expression in Apache to restrict mapfiles to the /opt/mapserver directory and subdirectories:

      SetEnv MS_MAP_PATTERN "^\/opt\/mapserver\/([^\.][_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.(map))$"
      

      Avvertimento

      During testing during this documentation process, the above MS_MAP_PATTERN failed on an old Debian Wheezy server, on a valid path such as MAP=/opt/mapserver/ogc-demos/wms.map (the dash in the “ogr-demos” folder caused much grief) even though the dash was escaped in the provided character set of the expression.

      Therefore those running older regex libs should use the following instead, which puts the dash at the beginning of the character set of the expression, avoiding the escaping issue:

      SetEnv MS_MAP_PATTERN «^/osgeo/mapserver/([^.][-_A-Za-z0-9.]+/{1})*([-_A-Za-z0-9.]+.(map))$»

    • Windows Apache/MS4W users can set the following expression in the Apache conf file, to limit the possible MAP= paths to the common C:/ms4w/apps/ directory (where all MS4W mapfiles and applications live), allow encoded urls, allow «.» or «_» or «-» in MAP= paths but disallow «..» directory traversing:

      SetEnv MS_MAP_PATTERN "^(C:)?\/ms4w\/apps\/((?!\.{2})[_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.(map))$"
      
  • Nginx - http://nginx.org/en/docs/ngx_core_module.html#env

  • IIS - https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/add/environmentvariables/