[prev in list] [next in list] [prev in thread] [next in thread]
List: mapserver-announce
Subject: [mapserver-announce] =?utf-8?q?Security_Advisory_=E2=80=93_Limit?= =?utf-8?q?ing_Mapfile_Access?=
From: Jeff McKenna <jmckenna () gatewaygeomatics ! com>
Date: 2021-03-31 12:58:23
Message-ID: 7016714f-dc3a-4d91-519a-bf1d88fe97fb () gatewaygeomatics ! com
[Download RAW message or body]
This is an important reminder that, as part of a secure deployment, it
is important to limit MapServer CGI access to mapfiles. The MapServer
CGI has long supported the use of environment variables as a primary
mechanism to do this. If you haven't implemented these controls then
that constitutes undue risk that is easily mitigated and we strongly
encourage you to do so as soon as possible. It's also a great time to
review those settings if you already have them in place as we've
recently updated regex examples related to MS_MAP_PATTERN to limit path
traversal.
Relevant documentation can be found at:
* Limit Mapfile Access:
https://mapserver.org/optimization/limit_mapfile_access.html
* Environment Variables: https://mapserver.org/environment_variables.html
Please don't hesitate to reach out with questions.
(please also distribute this advisory to your networks, with this url:
https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html )
--the MapServer PSC
["Attached Message Part" (text/plain)]
_______________________________________________
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
_______________________________________________
mapserver-announce mailing list
mapserver-announce@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic