Merge pull request #6429 from rouault/config_file_reports_improvements

Config file reports improvements

.github/workflows/start.sh

@@ -131,6 +131,10 @@ mapserv QUERY_STRING="MAP=MYMAPFILE&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/
 rm /tmp/install-mapserver/etc/mapserver.conf
 cat /tmp/res.txt | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.txt && /bin/false)
 
+echo "Check that -conf switch parameter works in a non-CGI context"
+mapserv QUERY_STRING="MAP=MYMAPFILE&SERVICE=WFS&REQUEST=GetCapabilities" -conf /tmp/mapserver.conf > /tmp/res.txt
+cat /tmp/res.txt | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.txt && /bin/false)
+
 echo "Check that MS_MAP_NO_PATH works (rejecting a value not defined in the MAPS section)"
 MAPSERVER_CONFIG_FILE=/tmp/mapserver.conf mapserv QUERY_STRING="MAP=FOO&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/res.txt
 cat /tmp/res.txt | grep "Web application error" >/dev/null || (cat /tmp/res.txt && /bin/false)

map2img.c

@@ -27,6 +27,8 @@
  * DEALINGS IN THE SOFTWARE.
  ****************************************************************************/
 
+#include <stdbool.h>
+
 #include "mapserver.h"
 #include "maptime.h"
 
@@ -62,7 +64,8 @@ int main(int argc, char *argv[])
     fprintf(stdout,
             "Syntax: map2img -m mapfile [-o image] [-e minx miny maxx maxy] [-s sizex sizey]\n"
             "               [-l \"layer1 [layers2...]\"] [-i format]\n"
-            "               [-all_debug n] [-map_debug n] [-layer_debug n] [-p n] [-c n] [-d layername datavalue]\n");
+            "               [-all_debug n] [-map_debug n] [-layer_debug n] [-p n] [-c n] [-d layername datavalue]\n"
+            "               [-conf filename]\n");
     fprintf(stdout,"  -m mapfile: Map file to operate on - required\n" );
     fprintf(stdout,"  -i format: Override the IMAGETYPE value to pick output format\n" );
     fprintf(stdout,"  -o image: output filename (stdout if not provided)\n");
@@ -75,6 +78,7 @@ int main(int argc, char *argv[])
     fprintf(stdout,"  -c n: draw map n number of times\n" );
     fprintf(stdout,"  -p n: pause for n seconds after reading the map\n" );
     fprintf(stdout,"  -d layername datavalue: change DATA value for layer\n" );
+    fprintf(stdout,"  -conf filename: filename of the MapServer configuration file.\n" );
     exit(0);
   }
 
@@ -83,6 +87,8 @@ int main(int argc, char *argv[])
     exit(1);
   }
 
+  bool some_debug_requested = FALSE;
+  const char* config_filename = NULL;
   for(i=1; i<argc; i++) {
     if (strcmp(argv[i],"-c") == 0) { /* user specified number of draws */
       iterations = atoi(argv[i+1]);
@@ -97,17 +103,34 @@ int main(int argc, char *argv[])
     if(i < argc-1 && strcmp(argv[i], "-all_debug") == 0) { /* global debug */
       int debug_level = atoi(argv[++i]);
 
+      some_debug_requested = TRUE;
+
       msSetGlobalDebugLevel(debug_level);
 
-      /* Send output to stderr by default */
-      if (msGetErrorFile() == NULL)
-        msSetErrorFile("stderr", NULL);
+      continue;
+    }
+
+    if(i < argc-1 && (strcmp(argv[i], "-map_debug") == 0 ||
+                      strcmp(argv[i], "-layer_debug") == 0)) {
+
+      some_debug_requested = TRUE;
+      continue;
+    }
 
+    if(i < argc-1 && strcmp(argv[i], "-conf") == 0) {
+      config_filename = argv[i+1];
+      ++i;
       continue;
     }
   }
 
-  config = msLoadConfig(NULL);
+  if( some_debug_requested ) {
+    /* Send output to stderr by default */
+    if (msGetErrorFile() == NULL)
+      msSetErrorFile("stderr", NULL);
+  }
+
+  config = msLoadConfig(config_filename);
 
   for(draws=0; draws<iterations; draws++) {
 
@@ -214,10 +237,6 @@ int main(int argc, char *argv[])
 
       if(i < argc-1 && strcmp(argv[i], "-map_debug") == 0) { /* debug */
         map->debug = atoi(argv[++i]);
-
-        /* Send output to stderr by default */
-        if (msGetErrorFile() == NULL)
-          msSetErrorFile("stderr", NULL);
       }
 
       if(i < argc-1 && strcmp(argv[i], "-layer_debug") == 0) { /* debug */
@@ -235,10 +254,6 @@ int main(int argc, char *argv[])
           fprintf( stderr,
                    " Did not find layer '%s' from -layer_debug switch.\n",
                    layer_name );
-
-        /* Send output to stderr by default */
-        if (msGetErrorFile() == NULL)
-          msSetErrorFile("stderr", NULL);
       }
 
       if(strcmp(argv[i],"-e") == 0) { /* change extent */

mapserv-config.cpp

@@ -135,6 +135,7 @@ configObj *msLoadConfig(const char* ms_config_file)
   msAcquireLock(TLOCK_PARSER);
 
   if((msyyin = fopen(ms_config_file, "r")) == NULL) {    
+    msDebug("Cannot open configuration file %s.\n", ms_config_file);
     msSetError(MS_IOERR, "See mapserver.org/config_file.html for more information.", "msLoadConfig()");
     msReleaseLock(TLOCK_PARSER);
     msFree(config);

mapserv.c

@@ -32,6 +32,7 @@
 #endif
 
 #include "mapserver-config.h"
+#include <stdbool.h>
 #include <stdlib.h>
 
 #ifdef USE_FASTCGI
@@ -131,7 +132,6 @@ static int msIO_installFastCGIRedirect()
 /************************************************************************/
 int main(int argc, char *argv[])
 {
-  int iArg;
   int sendheaders = MS_TRUE;
   struct mstimeval execstarttime, execendtime;
   struct mstimeval requeststarttime, requestendtime;
@@ -142,26 +142,46 @@ int main(int argc, char *argv[])
   ** Process -v and -h command line arguments  first end exit. We want to avoid any error messages 
   ** associated with msLoadConfig() or msSetup().
   */
-  for( iArg = 1; iArg < argc; iArg++ ) {
-    if( strcmp(argv[iArg],"-v") == 0 ) {
-      printf("%s\n", msGetVersion());
-      fflush(stdout);
-      exit(0);
-    } else if (strcmp(argv[iArg], "-h") == 0 || strcmp(argv[iArg], "--help") == 0) {
-      printf("Usage: mapserv [--help] [-v] [-nh] [QUERY_STRING=value]\n");
-      printf("\n");
-      printf("Options :\n");
-      printf("  -h, --help              Display this help message.\n");
-      printf("  -v                      Display version and exit.\n");
-      printf("  -nh                     Suppress HTTP headers in CGI mode.\n");
-      printf("  QUERY_STRING=value      Set the QUERY_STRING in GET request mode.\n");
-      printf("  PATH_INFO=value         Set the PATH_INFO for an API request.\n");
-      fflush(stdout);
-      exit(0);
+  const char* config_filename = NULL;
+  const bool use_command_line_options = getenv("QUERY_STRING") == NULL;
+  if (use_command_line_options) {
+    /* WARNING:
+     * Do not parse command line arguments (especially those that could have
+     * dangerous consequences if controlled through a web request), without checking
+     * that the QUERY_STRING environment variable is *not* set, because in a
+     * CGI context, command line arguments can be generated from the content
+     * of the QUERY_STRING, and thus cause a security problem.
+     * For ex, "http://example.com/mapserv.cgi?-conf+bar
+     * would result in "mapserv.cgi -conf bar" being invoked.
+     * See https://github.com/MapServer/MapServer/pull/6429#issuecomment-952533589
+     * and https://datatracker.ietf.org/doc/html/rfc3875#section-4.4
+    */
+    for( int iArg = 1; iArg < argc; iArg++ ) {
+      if( strcmp(argv[iArg],"-v") == 0 ) {
+        printf("%s\n", msGetVersion());
+        fflush(stdout);
+        exit(0);
+      } else if (strcmp(argv[iArg], "-h") == 0 || strcmp(argv[iArg], "--help") == 0) {
+        printf("Usage: mapserv [--help] [-v] [-nh] [QUERY_STRING=value] [PATH_INFO=value]\n");
+        printf("                [-conf filename]\n");
+        printf("\n");
+        printf("Options :\n");
+        printf("  -h, --help              Display this help message.\n");
+        printf("  -v                      Display version and exit.\n");
+        printf("  -nh                     Suppress HTTP headers in CGI mode.\n");
+        printf("  -conf filename          Filename of the MapServer configuration file.\n");
+        printf("  QUERY_STRING=value      Set the QUERY_STRING in GET request mode.\n");
+        printf("  PATH_INFO=value         Set the PATH_INFO for an API request.\n");
+        fflush(stdout);
+        exit(0);
+      } else if( iArg < argc-1 && strcmp(argv[iArg], "-conf") == 0) {
+        config_filename = argv[iArg+1];
+        ++iArg;
+      }
     }
   }
 
-  config = msLoadConfig(NULL); // first thing
+  config = msLoadConfig(config_filename); // first thing
   if(config == NULL) {
 #ifdef USE_FASTCGI
     msIO_installFastCGIRedirect(); // FastCGI setup for error handling here
@@ -194,20 +214,22 @@ int main(int argc, char *argv[])
   /*      commandline switches, but we provide a few for test/debug       */
   /*      purposes.                                                       */
   /* -------------------------------------------------------------------- */
-  for( iArg = 1; iArg < argc; iArg++ ) {
-    if(strcmp(argv[iArg], "-nh") == 0) {
-      sendheaders = MS_FALSE;
-      msIO_setHeaderEnabled( MS_FALSE );
-    } else if( strncmp(argv[iArg], "QUERY_STRING=", 13) == 0 ) {
-      /* Debugging hook... pass "QUERY_STRING=..." on the command-line */
-      putenv( "REQUEST_METHOD=GET" );
-      /* coverity[tainted_string] */
-      putenv( argv[iArg] );
-    } else if( strncmp(argv[iArg], "PATH_INFO=", 10) == 0 ) {
-      /* Debugging hook for APIs... pass "PATH_INFO=..." on the command-line */
-      putenv( "REQUEST_METHOD=GET" );
-      /* coverity[tainted_string] */
-      putenv( argv[iArg] );
+  if(use_command_line_options) {
+    for( int iArg = 1; iArg < argc; iArg++ ) {
+      if(strcmp(argv[iArg], "-nh") == 0) {
+        sendheaders = MS_FALSE;
+        msIO_setHeaderEnabled( MS_FALSE );
+      } else if( strncmp(argv[iArg], "QUERY_STRING=", 13) == 0 ) {
+        /* Debugging hook... pass "QUERY_STRING=..." on the command-line */
+        putenv( "REQUEST_METHOD=GET" );
+        /* coverity[tainted_string] */
+        putenv( argv[iArg] );
+      } else if( strncmp(argv[iArg], "PATH_INFO=", 10) == 0 ) {
+        /* Debugging hook for APIs... pass "PATH_INFO=..." on the command-line */
+        putenv( "REQUEST_METHOD=GET" );
+        /* coverity[tainted_string] */
+        putenv( argv[iArg] );
+      }
     }
   }