#1836 closed defect (fixed)
Handling of IMAGEPATH and IMAGEURL could be improved
Reported by: | Owned by: | sdlime | |
---|---|---|---|
Priority: | high | Milestone: | |
Component: | MapServer CGI | Version: | 4.8 |
Severity: | normal | Keywords: | |
Cc: |
Description (last modified by )
Presently IMAGEPATH and IMAGEURL can not only be set via the CGI query string, but values specified there also override any defaults specified in the map file. In the standard configuration this allows anybody who can http the web server to write data to nearly arbitrary places on the disk with the permissions of the web server user. It also allows spoofing of served images. In my humble opinion this poses a minor security risk and definitely a high risk for annoyance of the administrator unless additional measures are taken to jail the MapServer CGI in a chroot environment and run it under a dedicated user. I would at least suggest that the values for IMAGEPATH and IMAGEURL given in the map file should take precedence over CGI query parameters.
Change History (4)
comment:2 by , 15 years ago
Description: | modified (diff) |
---|---|
Resolution: | → fixed |
Status: | assigned → closed |
This ability has been totally removed in MapServer 5.4. These values can *only* be set within a mapfile.
Steve
comment:4 by , 15 years ago
Also patched 4.10... Should have removed in 4.8, but I was a lazy ass.
Steve
Note:
See TracTickets
for help on using tickets.