mapserv: add a -conf filename option to set configuration file

MapServer · Oct 27, 2021 · dd51650 · dd51650
1 parent 72e009e
commit dd51650
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/.github/workflows/start.sh b/.github/workflows/start.sh
@@ -98,6 +98,10 @@ echo "Running CGI query"
 curl -s "http://localhost/cgi-bin/mapserv.cgi?MAP=/tmp/wfs_simple.map&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/res.xml
 cat /tmp/res.xml | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.xml && /bin/false)
 
+echo "Demonstrate that mapserv reject -conf passed through QUERY_STRING env variable"
+curl -s "http://localhost/cgi-bin/mapserv.cgi?-conf+bar" > /tmp/res.txt
+cat /tmp/res.txt | grep "conf switch cannot be used" >/dev/null || (cat /tmp/res.txt && /bin/false)
+
 echo "Running FastCGI query"
 curl -s "http://localhost/cgi-bin/mapserv.fcgi?MAP=/tmp/wfs_simple.map&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/res.xml
 cat /tmp/res.xml | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.xml && /bin/false)
@@ -131,6 +135,10 @@ mapserv QUERY_STRING="MAP=MYMAPFILE&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/
 rm /tmp/install-mapserver/etc/mapserver.conf
 cat /tmp/res.txt | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.txt && /bin/false)
 
+echo "Check that -conf switch parameter works in a non-CGI context"
+mapserv QUERY_STRING="MAP=MYMAPFILE&SERVICE=WFS&REQUEST=GetCapabilities" -conf /tmp/mapserver.conf > /tmp/res.txt
+cat /tmp/res.txt | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.txt && /bin/false)
+
 echo "Check that MS_MAP_NO_PATH works (rejecting a value not defined in the MAPS section)"
 MAPSERVER_CONFIG_FILE=/tmp/mapserver.conf mapserv QUERY_STRING="MAP=FOO&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/res.txt
 cat /tmp/res.txt | grep "Web application error" >/dev/null || (cat /tmp/res.txt && /bin/false)

diff --git a/mapserv.c b/mapserv.c
@@ -142,26 +142,49 @@ int main(int argc, char *argv[])
   ** Process -v and -h command line arguments  first end exit. We want to avoid any error messages 
   ** associated with msLoadConfig() or msSetup().
   */
+  const char* config_filename = NULL;
   for( iArg = 1; iArg < argc; iArg++ ) {
     if( strcmp(argv[iArg],"-v") == 0 ) {
       printf("%s\n", msGetVersion());
       fflush(stdout);
       exit(0);
     } else if (strcmp(argv[iArg], "-h") == 0 || strcmp(argv[iArg], "--help") == 0) {
-      printf("Usage: mapserv [--help] [-v] [-nh] [QUERY_STRING=value]\n");
+      printf("Usage: mapserv [--help] [-v] [-nh] [QUERY_STRING=value] [PATH_INFO=value]\n");
+      printf("                [-conf filename]\n");
       printf("\n");
+      /* WARNING:
+       * Do not add any switch that can take an arbitrary value, without checking
+       * that the QUERY_STRING environment variable is *not* set, because in a
+       * CGI context, command line arguments can be generated from the content
+       * of the QUERY_STRING, and thus cause a security problem.
+       * For ex, "http://example.com/mapserv.cgi?-conf+bar
+       * would result in "mapserv.cgi -conf bar" being invoked.
+       * See https://github.com/MapServer/MapServer/pull/6429#issuecomment-952533589
+       * and https://datatracker.ietf.org/doc/html/rfc3875#section-4.4
+       */
       printf("Options :\n");
       printf("  -h, --help              Display this help message.\n");
       printf("  -v                      Display version and exit.\n");
       printf("  -nh                     Suppress HTTP headers in CGI mode.\n");
+      printf("  -conf filename          Filename of the MapServer configuration file.\n");
       printf("  QUERY_STRING=value      Set the QUERY_STRING in GET request mode.\n");
       printf("  PATH_INFO=value         Set the PATH_INFO for an API request.\n");
       fflush(stdout);
       exit(0);
+    } else if( iArg < argc-1 && strcmp(argv[iArg], "-conf") == 0) {
+      if( getenv("QUERY_STRING") != NULL ) {
+        /* Implement above WARNING security check. */
+        msSetError(MS_QUERYERR, "-conf switch cannot be used when QUERY_STRING environment "
+                "variable is set. Use QUERY_STRING= as a command line argument.", "main()");
+        msCGIWriteError(mapserv);
+        exit(0);
+      }
+      config_filename = argv[iArg+1];
+      ++iArg;
     }
   }
 
-  config = msLoadConfig(NULL); // first thing
+  config = msLoadConfig(config_filename); // first thing
   if(config == NULL) {
 #ifdef USE_FASTCGI
     msIO_installFastCGIRedirect(); // FastCGI setup for error handling here