Opened 11 years ago

#3486 new defect

Define mechanism for mapserv CGI debugging at the command-line without cli args

Reported by: dmorissette Owned by: dmorissette
Priority: normal Milestone: 6.0 release
Component: MapServer C Library Version: unspecified
Severity: normal Keywords:
Cc: sdlime

Description

From ticket #3485:

""" As part of a security audit of MapServer 5.6 it was found that some of the mapserv CGI command-line debug arguments constitute a security risk that could potentially be exploited. """

In this ticket we only disabled the possibly insecure args in the default build to address the immediate security issues and avoid disrupting point releases with a more important change. For MapServer 6.0, we should look into providing a more secure debugging and testing mechanism for developers of the mapserv CGI that does not involve command-line args at all.

For instance, the "QUERY_STRING=..." command-line arg could be replaced with the following on Unix/Linux?:

REQUEST_METHOD=GET QUERY_STRING='MAP=foo&REQUEST=GetMap&...' ./mapserv

Change History (0)

Note: See TracTickets for help on using tickets.