Disable insecure mapserv cgi command-line debug params by default (#3485

) git-svn-id: http://svn.osgeo.org/mapserver/branches/branch-5-4@10314 7532c77e-422f-0410-93f4-f0b67bdd69e2
MapServer · Jul 8, 2010 · 0743231 · 0743231
1 parent 62817f9
commit 0743231
Show file tree

Hide file tree

Showing 5 changed files with 150 additions and 6 deletions.
diff --git a/HISTORY.TXT b/HISTORY.TXT
@@ -13,6 +13,15 @@ For a complete change history, please see the Subversion log comments.
 
 Current Version:
 ----------------
+
+- Disabled some insecure (and potentially exploitable) mapserv command-line
+  debug arguments (#3485). The --enable-cgi-cl-debug-args configure switch
+  can be used to re-enable them for devs who really cannot get away without
+  them and who understand the potential security risk (not recommended for 
+  production servers or those who don't understand the security implications).
+
+- Fixed possible buffer overflow in msTmpFile() (#3484)
+
 - fix blending of transparent layers with AGG on MSB archs (#3471)
 
 - Fix security exception issue in C# with MSVC2010 (#3438)

diff --git a/README.CONFIGURE b/README.CONFIGURE
@@ -54,6 +54,12 @@ Optional Features:
   --disable-fast-nint     Use safe MS_NINT with reliable rounding
   --enable-debug          Include "-g" in CFLAGS for debugging.
   --disable-debug         Do not include "-g" in CFLAGS (the default).
+  --enable-cgi-cl-debug-args
+                          Enable mapserv CGI command-line debug arguments
+                          (disabled by default). These command-line args may
+                          be insecure and should be enabled only on
+                          development servers and only if you understand the
+                          security implications.
   --enable-gcov           Enable source code coverage testing using gcov
   --enable-perlv-ld-detect (applies to --with-php only)
                           Use perl -V output to figure the command to use to
@@ -658,6 +664,15 @@ Miscellaneous flags:
   --enable-debug          Include "-g" in CFLAGS for debugging.
   --disable-debug         Do not include "-g" in CFLAGS (the default).
 
+::
+
+  --enable-cgi-cl-debug-args
+                          Enable mapserv CGI command-line debug arguments
+                          (disabled by default). These command-line args may
+                          be insecure and should be enabled only on
+                          development servers and only if you understand the
+                          security implications.
+
 ::
 
   --enable-gcov           Enable source code coverage testing using gcov

diff --git a/configure b/configure
@@ -856,6 +856,12 @@ Optional Features:
   --disable-fast-nint     Use safe MS_NINT with reliable rounding
   --enable-debug          Include "-g" in CFLAGS for debugging.
   --disable-debug         Do not include "-g" in CFLAGS (the default).
+  --enable-cgi-cl-debug-args
+                          Enable mapserv CGI command-line debug arguments
+                          (disabled by default). These command-line args may
+                          be insecure and should be enabled only on
+                          development servers and only if you understand the
+                          security implications.
   --enable-gcov           Enable source code coverage testing using gcov
   --enable-perlv-ld-detect (applies to --with-php only)
                           Use perl -V output to figure the command to use to
@@ -11100,6 +11106,79 @@ echo "$as_me: error: '$PG_CONFIG' is not an executable.  Make sure you use --wit
   POSTGIS_ENABLED=-DUSE_POSTGIS
   POSTGIS_LIB="-L`$PG_CONFIG --libdir` -lpq"
   POSTGIS_INC="-I`$PG_CONFIG --includedir`"
+
+  old_LDFLAGS="$LDFLAGS"
+  LDFLAGS="$LDFLAGS -L`$PG_CONFIG --libdir`"
+  echo "$as_me:$LINENO: checking for PQserverVersion in -lpq" >&5
+echo $ECHO_N "checking for PQserverVersion in -lpq... $ECHO_C" >&6
+if test "${ac_cv_lib_pq_PQserverVersion+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpq  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char PQserverVersion ();
+int
+main ()
+{
+PQserverVersion ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_pq_PQserverVersion=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_pq_PQserverVersion=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_pq_PQserverVersion" >&5
+echo "${ECHO_T}$ac_cv_lib_pq_PQserverVersion" >&6
+if test $ac_cv_lib_pq_PQserverVersion = yes; then
+  POSTGIS_ENABLED="$POSTGIS_ENABLED -DPOSTGIS_HAS_SERVER_VERSION"
+fi
+
+  LDFLAGS="$old_LDFLAGS"
+
 fi
 
 POSTGIS_ENABLED=$POSTGIS_ENABLED
@@ -12252,6 +12331,21 @@ else
   CFLAGS=`echo "$CFLAGS " | sed "s/-g //"`
 fi
 
+
+{ echo "$as_me:$LINENO: checking whether we should enable mapserv CGI command-line debug arguments..." >&5
+echo "$as_me: checking whether we should enable mapserv CGI command-line debug arguments..." >&6;}
+# Check whether --enable-cgi-cl-debug-args or --disable-cgi-cl-debug-args was given.
+if test "${enable_cgi_cl_debug_args+set}" = set; then
+  enableval="$enable_cgi_cl_debug_args"
+
+fi;
+
+if test "$enable_cgi_cl_debug_args" = "yes" ; then
+  DEBUG_FLAGS="$DEBUG_FLAGS -DMS_ENABLE_CGI_CL_DEBUG_ARGS"
+  echo "$as_me:$LINENO: result:         Enabling (potentially insecure) mapserv CGI command-line debug arguments: -DMS_ENABLE_CGI_CL_DEBUG_ARGS." >&5
+echo "${ECHO_T}        Enabling (potentially insecure) mapserv CGI command-line debug arguments: -DMS_ENABLE_CGI_CL_DEBUG_ARGS." >&6
+fi
+
 DEBUG_FLAGS=$DEBUG_FLAGS
 
 ALL_ENABLED="$DEBUG_FLAGS $ALL_ENABLED"

diff --git a/configure.in b/configure.in
@@ -2231,6 +2231,24 @@ else
   CFLAGS=`echo "$CFLAGS " | sed "s/-g //"`
 fi
 
+dnl ---------------------------------------------------------------------
+dnl Check --enable-cgi-cl-debug-args option (OFF by default)
+dnl ---------------------------------------------------------------------
+
+AC_CHECKING(whether we should enable mapserv CGI command-line debug arguments)
+AC_ARG_ENABLE(cgi-cl-debug-args,
+[  --enable-cgi-cl-debug-args 
+                          Enable mapserv CGI command-line debug arguments
+                          (disabled by default). These command-line args may
+                          be insecure and should be enabled only on 
+                          development servers and only if you understand the 
+                          security implications.],,)
+
+if test "$enable_cgi_cl_debug_args" = "yes" ; then
+  DEBUG_FLAGS="$DEBUG_FLAGS -DMS_ENABLE_CGI_CL_DEBUG_ARGS"
+  AC_MSG_RESULT([        Enabling (potentially insecure) mapserv CGI command-line debug arguments: -DMS_ENABLE_CGI_CL_DEBUG_ARGS.])
+fi
+
 AC_SUBST(DEBUG_FLAGS, $DEBUG_FLAGS)
 ALL_ENABLED="$DEBUG_FLAGS $ALL_ENABLED"
 

diff --git a/mapserv.c b/mapserv.c
@@ -1153,13 +1153,23 @@ int main(int argc, char *argv[]) {
   /*      purposes, and to query the version info.                        */
   /* -------------------------------------------------------------------- */
   for( iArg = 1; iArg < argc; iArg++ ) {
+    /* Keep only "-v", "-nh" and "QUERY_STRING=..." enabled by default.
+     * The others will require an explicit -DMS_ENABLE_CGI_CL_DEBUG_ARGS
+     * at compile time.
+     */
     if( strcmp(argv[iArg],"-v") == 0 ) {
       printf("%s\n", msGetVersion());
       fflush(stdout);
       exit(0);
     } else if(strcmp(argv[iArg], "-nh") == 0) {
       sendheaders = MS_FALSE;
-    } else if( iArg < argc-1 && strcmp(argv[iArg], "-tmpbase") == 0) {
+    } else if( strncmp(argv[iArg], "QUERY_STRING=", 13) == 0 ) {
+      /* Debugging hook... pass "QUERY_STRING=..." on the command-line */
+      putenv( "REQUEST_METHOD=GET" );
+      putenv( argv[iArg] );
+    }
+#ifdef MS_ENABLE_CGI_CL_DEBUG_ARGS
+    else if( iArg < argc-1 && strcmp(argv[iArg], "-tmpbase") == 0) {
       msForceTmpFileBase( argv[++iArg] );
     } else if( iArg < argc-1 && strcmp(argv[iArg], "-t") == 0) {
       char **tokens;
@@ -1175,11 +1185,9 @@ int main(int argc, char *argv[]) {
       }
 
       exit(0);
-    } else if( strncmp(argv[iArg], "QUERY_STRING=", 13) == 0) {
-      /* Debugging hook... pass "QUERY_STRING=..." on the command-line */
-      putenv( "REQUEST_METHOD=GET" );
-      putenv( argv[iArg] );
-    } else {
+    } 
+#endif /* MS_ENABLE_CGI_CL_DEBUG_ARGS */
+    else {
       /* we don't produce a usage message as some web servers pass junk arguments */
     }
   }