#3485 closed defect (fixed)
Disable insecure mapserv CGI command-line debug args
Reported by: | dmorissette | Owned by: | dmorissette |
---|---|---|---|
Priority: | normal | Milestone: | 5.6.4 release |
Component: | MapServer C Library | Version: | 5.6 |
Severity: | normal | Keywords: | |
Cc: | sdlime, aboudreault |
Description
As part of a security audit of MapServer 5.6 it was found that some of the mapserv CGI command-line debug arguments constitute a security risk that could potentially be exploited.
I will not disclose any of the details here, but we should take actions to avoid command-line args in CGI programs.
This will not affect functionality for regular mapserv CGI users... only for developers that used those command-line args to debug and test the software.
Change History (3)
comment:1 by , 14 years ago
Cc: | added |
---|---|
Status: | new → assigned |
comment:2 by , 14 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
To create the smallest possible amount of disruption in point releases, for 5.6.4 we will simply disable all mapserv command-line debug args by default, except for "-v" which is useful to get mapserv version on an installed system, as well as "-nh" and "QUERY_STRING=..." which carry little risk and/or are used by msautotests and in some docs.
We should revisit this in MapServer 6.0 and possibly find a better mechanism to handle these debugging hooks that do not involve command-line args.
The disabled code will be enclosed inside #ifdef MS_ENABLE_CGI_CL_DEBUG_ARGS. This means that -DMS_ENABLE_CGI_CL_DEBUG_ARGS must be explicitly set at compile time to re-enable those debug args (by devs who know what they are doing and understand the security implications). A --enable-cgi-cl-debug-args option will also be added to the configure script to facilitate setting this flag. Once again, this flag enables some potentially insecure command-line args and should not be enabled on production servers or by people who do not understand the security implications.
Fix for this committed in SVN branch-5-6 r10306 (will be in 5.6.4)
I will also backport the fix to older releases.