diff --git a/.github/workflows/start.sh b/.github/workflows/start.sh index 0ec7893dd8..0ad4953560 100755 --- a/.github/workflows/start.sh +++ b/.github/workflows/start.sh @@ -98,6 +98,10 @@ echo "Running CGI query" curl -s "http://localhost/cgi-bin/mapserv.cgi?MAP=/tmp/wfs_simple.map&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/res.xml cat /tmp/res.xml | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.xml && /bin/false) +echo "Demonstrate that mapserv reject -conf passed through QUERY_STRING env variable" +curl -s "http://localhost/cgi-bin/mapserv.cgi?-conf+bar" > /tmp/res.txt +cat /tmp/res.txt | grep "conf switch cannot be used" >/dev/null || (cat /tmp/res.txt && /bin/false) + echo "Running FastCGI query" curl -s "http://localhost/cgi-bin/mapserv.fcgi?MAP=/tmp/wfs_simple.map&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/res.xml cat /tmp/res.xml | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.xml && /bin/false) @@ -131,6 +135,10 @@ mapserv QUERY_STRING="MAP=MYMAPFILE&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/ rm /tmp/install-mapserver/etc/mapserver.conf cat /tmp/res.txt | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.txt && /bin/false) +echo "Check that -conf switch parameter works in a non-CGI context" +mapserv QUERY_STRING="MAP=MYMAPFILE&SERVICE=WFS&REQUEST=GetCapabilities" -conf /tmp/mapserver.conf > /tmp/res.txt +cat /tmp/res.txt | grep wfs:WFS_Capabilities >/dev/null || (cat /tmp/res.txt && /bin/false) + echo "Check that MS_MAP_NO_PATH works (rejecting a value not defined in the MAPS section)" MAPSERVER_CONFIG_FILE=/tmp/mapserver.conf mapserv QUERY_STRING="MAP=FOO&SERVICE=WFS&REQUEST=GetCapabilities" > /tmp/res.txt cat /tmp/res.txt | grep "Web application error" >/dev/null || (cat /tmp/res.txt && /bin/false) diff --git a/mapserv.c b/mapserv.c index 29f668cce7..f66f4c05dd 100644 --- a/mapserv.c +++ b/mapserv.c @@ -142,26 +142,49 @@ int main(int argc, char *argv[]) ** Process -v and -h command line arguments first end exit. We want to avoid any error messages ** associated with msLoadConfig() or msSetup(). */ + const char* config_filename = NULL; for( iArg = 1; iArg < argc; iArg++ ) { if( strcmp(argv[iArg],"-v") == 0 ) { printf("%s\n", msGetVersion()); fflush(stdout); exit(0); } else if (strcmp(argv[iArg], "-h") == 0 || strcmp(argv[iArg], "--help") == 0) { - printf("Usage: mapserv [--help] [-v] [-nh] [QUERY_STRING=value]\n"); + printf("Usage: mapserv [--help] [-v] [-nh] [QUERY_STRING=value] [PATH_INFO=value]\n"); + printf(" [-conf filename]\n"); printf("\n"); + /* WARNING: + * Do not add any switch that can take an arbitrary value, without checking + * that the QUERY_STRING environment variable is *not* set, because in a + * CGI context, command line arguments can be generated from the content + * of the QUERY_STRING, and thus cause a security problem. + * For ex, "http://example.com/mapserv.cgi?-conf+bar + * would result in "mapserv.cgi -conf bar" being invoked. + * See https://github.com/MapServer/MapServer/pull/6429#issuecomment-952533589 + * and https://datatracker.ietf.org/doc/html/rfc3875#section-4.4 + */ printf("Options :\n"); printf(" -h, --help Display this help message.\n"); printf(" -v Display version and exit.\n"); printf(" -nh Suppress HTTP headers in CGI mode.\n"); + printf(" -conf filename Filename of the MapServer configuration file.\n"); printf(" QUERY_STRING=value Set the QUERY_STRING in GET request mode.\n"); printf(" PATH_INFO=value Set the PATH_INFO for an API request.\n"); fflush(stdout); exit(0); + } else if( iArg < argc-1 && strcmp(argv[iArg], "-conf") == 0) { + if( getenv("QUERY_STRING") != NULL ) { + /* Implement above WARNING security check. */ + msSetError(MS_QUERYERR, "-conf switch cannot be used when QUERY_STRING environment " + "variable is set. Use QUERY_STRING= as a command line argument.", "main()"); + msCGIWriteError(mapserv); + exit(0); + } + config_filename = argv[iArg+1]; + ++iArg; } } - config = msLoadConfig(NULL); // first thing + config = msLoadConfig(config_filename); // first thing if(config == NULL) { #ifdef USE_FASTCGI msIO_installFastCGIRedirect(); // FastCGI setup for error handling here