Ticket #2939 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

msLoadQuery() does not validate file extension when loading saved query files

Reported by: sdlime Owned by: sdlime
Priority: high Milestone: 6.0 release
Component: MapServer C Library Version: unspecified
Severity: normal Keywords:
Cc: jmckenna

Description

This can be used to probe a system for files that ARE NOT present. Since any value can be passed the code will attempt to open then file and then if missing will report that that fact. The solution is to validate the file extension before accessing the file and if not ending with .qy throw an error. Basically mirroring behavior used with mapfiles.

Might also make sense to add a magic key at the top of the file for further validation.

Steve

Change History

Changed 5 years ago by sdlime

  • priority changed from normal to high
  • status changed from new to assigned

Changed 5 years ago by sdlime

Referencing CVE-2009-0843...

Changed 5 years ago by jmckenna

  • cc jmckenna added

Changed 5 years ago by sdlime

  • milestone changed from 5.2.2 release to 5.4 release

Fixed r8805 for MapServer 5.2 branch. Fixed in r8823 for 4.10 branch. Moving to 5.4 now.

Steve

Changed 5 years ago by sdlime

  • milestone changed from 5.4 release to 6.0 release

Fixed in 5.4 branch in r8853, moving to 6.0/trunk.

Steve

Changed 5 years ago by sdlime

  • status changed from assigned to closed
  • resolution set to fixed

Main problem fixed in trunk. Query files will likely see attention as part of other changes so I'll close this. No documentation carry over...

Steve

Changed 5 years ago by aboudreault

Backported to branch-5-0 in r9199

Note: See TracTickets for help on using tickets.