Opened 18 years ago

Closed 14 years ago

#1918 closed defect (invalid)

Verify/enhance security for runtime substitutions...

Reported by: sdlime Owned by: jmckenna
Priority: high Milestone:
Component: Documentation - MapServer Version: 5.0
Severity: normal Keywords:
Cc:

Description (last modified by dmorissette)

Man, I swear I already added this bug. Anyway, basically I think we need to 
make sure that runtime substitutions are not a big security hole. We only 
support a few but allowing unfiltered substitution is likely dangerous. There 
is no way to say only integers allowed. While I don't believe there has ever 
been an exploit there is the potential for buffer overruns (less likely) or SQL 
injection when substituting into a WHERE clause for one of the databases.

I don't know that there is one set of filtering that we could implement that 
would work in all cases. Rather I think we need to allow for adhoc filtering 
via regular expressions.

One idea might be to allow users to define filters based on variable names in a 
layer metadata section. For example, let's say you have an expression like:

  EXPRESSION ('[ID]' eq '%myid%')

so 'myid' is being passed into MapServer. Then you might set metadata like:

  METADATA
    myid_pattern  '[0-9]{5,10}?'
    ...
  END

Which would restrict the value of 'myid' to a number between 5 and 10 
characters long.

Implementation would be pretty simple, impacting only a small portion of 
mapserv.c

Steve

Change History (7)

comment:1 by sdlime, 18 years ago

Status: newassigned

comment:2 by sdlime, 17 years ago

I committed an enhancement to mapserv.c today that allows users to define a
validation pattern in layer metadata. For example, let's say you are use a
variable foo to pass in a runtime change to an expression. Then you could set
something like:

  foo_validation_pattern "\d{3}"

The value supplied for foo *must* be a 3 digit integer. If not a validation
error is returned.

Seems to work fine in testing. I chose layer-level metadata since all
substitutions are at the layer-level.

There are a couple of downsides:

  - users are not required to set a validation pattern
  - regex isn't the easiest of languages to master

Thoughts?

Steve

comment:3 by sdlime, 17 years ago

Component: MapServer CGIMapServer Documentation
With no feedback I'll assume the changes are ok. This doesn't break
compatability and while technically a new feature I think anything security
related should be backported to the current version (which I have done).
Changing to a documentation bug...

Steve

comment:4 by jmckenna, 16 years ago

Owner: changed from sdlime to jmckenna
Status: assignednew

comment:5 by jmckenna, 16 years ago

Milestone: 5.0.3 release

comment:6 by dmorissette, 14 years ago

Description: modified (diff)
Milestone: 5.6 release

Has this been documented already?

comment:7 by hobu, 14 years ago

Milestone: 5.6 release
Resolution: invalid
Status: newclosed

I think http://mapserver.org/cgi/runsub.html has it fairly well now. Done quite a while ago, so I'll move the milestone.

Note: See TracTickets for help on using tickets.