Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#2939 closed defect (fixed)

msLoadQuery() does not validate file extension when loading saved query files

Reported by: sdlime Owned by: sdlime
Priority: high Milestone: 6.0 release
Component: MapServer C Library Version: unspecified
Severity: normal Keywords:
Cc: jmckenna


This can be used to probe a system for files that ARE NOT present. Since any value can be passed the code will attempt to open then file and then if missing will report that that fact. The solution is to validate the file extension before accessing the file and if not ending with .qy throw an error. Basically mirroring behavior used with mapfiles.

Might also make sense to add a magic key at the top of the file for further validation.


Change History (7)

comment:1 Changed 8 years ago by sdlime

  • Priority changed from normal to high
  • Status changed from new to assigned

comment:2 Changed 8 years ago by sdlime

Referencing CVE-2009-0843...

comment:3 Changed 8 years ago by jmckenna

  • Cc jmckenna added

comment:4 Changed 8 years ago by sdlime

  • Milestone changed from 5.2.2 release to 5.4 release

Fixed r8805 for MapServer 5.2 branch. Fixed in r8823 for 4.10 branch. Moving to 5.4 now.


comment:5 Changed 8 years ago by sdlime

  • Milestone changed from 5.4 release to 6.0 release

Fixed in 5.4 branch in r8853, moving to 6.0/trunk.


comment:6 Changed 8 years ago by sdlime

  • Resolution set to fixed
  • Status changed from assigned to closed

Main problem fixed in trunk. Query files will likely see attention as part of other changes so I'll close this. No documentation carry over...


comment:7 Changed 8 years ago by aboudreault

Backported to branch-5-0 in r9199

Note: See TracTickets for help on using tickets.