Handling of IMAGEPATH and IMAGEURL could be improved

[chust@…]

Presently IMAGEPATH and IMAGEURL can not only be set via the CGI query string,
but values specified there also override any defaults specified in the map file.
In the standard configuration this allows anybody who can http the web server to
write data to nearly arbitrary places on the disk with the permissions of the
web server user. It also allows spoofing of served images.

In my humble opinion this poses a minor security risk and definitely a high risk
for annoyance of the administrator unless additional measures are taken to jail
the MapServer CGI in a chroot environment and run it under a dedicated user.

I would at least suggest that the values for IMAGEPATH and IMAGEURL given in the
map file should take precedence over CGI query parameters.

[sdlime]

A fair point- but I'll have to think about practical abuses. In cases like this 
it would be nice to develop a concrete example that exploits the hole. From 
that risk can be assessed.

"I would at least suggest that the values for IMAGEPATH and IMAGEURL given in 
the map file should take precedence over CGI query parameters."

Then there is no point is providing the capability... It only exists to ease 
application configuration in cases where an app might be installed in many 
environments (e.g. a demo).

Steve

[sdlime]

This ability has been totally removed in MapServer 5.4. These values can *only* be set within a mapfile.

Steve

[sdlime]

Back ported to 5.0 and 5.2 branches for completeness...

Steve

[sdlime]

Also patched 4.10... Should have removed in 4.8, but I was a lazy ass.

Steve