@@ -201,41 +201,67 @@ mapObj *msCGILoadMap(mapservObj *mapserv)
201
201
int i , j ;
202
202
mapObj * map = NULL ;
203
203
204
+ const char * ms_map_bad_pattern_default = "[/\\]{2}|[/\\]?\\.+[/\\]|," ;
205
+ const char * ms_map_env_bad_pattern_default = "^(AUTH_.*|CERT_.*|CONTENT_(LENGTH|TYPE)|DOCUMENT_(ROOT|URI)|GATEWAY_INTERFACE|HTTP.*|QUERY_STRING|PATH_(INFO|TRANSLATED)|REMOTE_.*|REQUEST_(METHOD|URI)|SCRIPT_(FILENAME|NAME)|SERVER_.*)" ;
206
+
207
+ int ms_mapfile_tainted = MS_TRUE ;
204
208
const char * ms_mapfile = CPLGetConfigOption ("MS_MAPFILE" , NULL );
209
+
205
210
const char * ms_map_no_path = CPLGetConfigOption ("MS_MAP_NO_PATH" , NULL );
206
211
const char * ms_map_pattern = CPLGetConfigOption ("MS_MAP_PATTERN" , NULL );
212
+ const char * ms_map_env_pattern = CPLGetConfigOption ("MS_MAP_ENV_PATTERN" , NULL );
213
+
214
+ const char * ms_map_bad_pattern = CPLGetConfigOption ("MS_MAP_BAD_PATTERN" , NULL );
215
+ if (ms_map_bad_pattern == NULL ) ms_map_bad_pattern = ms_map_bad_pattern_default ;
216
+
217
+ const char * ms_map_env_bad_pattern = CPLGetConfigOption ("MS_MAP_ENV_BAD_PATTERN" , NULL );
218
+ if (ms_map_env_bad_pattern == NULL ) ms_map_env_bad_pattern = ms_map_env_bad_pattern_default ;
207
219
208
220
for (i = 0 ; i < mapserv -> request -> NumParams ; i ++ ) /* find the mapfile parameter first */
209
221
if (strcasecmp (mapserv -> request -> ParamNames [i ], "map" ) == 0 ) break ;
210
222
211
223
if (i == mapserv -> request -> NumParams ) {
212
- if (ms_mapfile != NULL ) {
213
- map = msLoadMap (ms_mapfile ,NULL );
214
- } else {
224
+ if (ms_mapfile == NULL ) {
215
225
msSetError (MS_WEBERR , "CGI variable \"map\" is not set." , "msCGILoadMap()" ); /* no default, outta here */
216
226
return NULL ;
217
227
}
228
+ ms_mapfile_tainted = MS_FALSE ;
218
229
} else {
219
- if (getenv (mapserv -> request -> ParamValues [i ])) /* an environment variable references the actual file to use */
220
- map = msLoadMap (getenv (mapserv -> request -> ParamValues [i ]), NULL );
221
- else {
222
- /* by here we know the request isn't for something in an environment variable */
223
- if (ms_map_no_path != NULL ) {
224
- msSetError (MS_WEBERR , "Mapfile not found in environment variables and this server is not configured for full paths." , "msCGILoadMap()" );
230
+ if (getenv (mapserv -> request -> ParamValues [i ])) { /* an environment variable references the actual file to use */
231
+ /* validate env variable name */
232
+ if (msIsValidRegex (ms_map_env_bad_pattern ) == MS_FALSE || msCaseEvalRegex (ms_map_env_bad_pattern , mapserv -> request -> ParamValues [i ]) == MS_TRUE ) {
233
+ msSetError (MS_WEBERR , "CGI variable \"map\" fails to validate." , "msCGILoadMap()" );
225
234
return NULL ;
226
235
}
227
-
228
- if (ms_map_pattern != NULL && msEvalRegex (ms_map_pattern , mapserv -> request -> ParamValues [i ]) != MS_TRUE ) {
229
- msSetError (MS_WEBERR , "Parameter 'map' value fails to validate." , "msCGILoadMap()" );
236
+ if (ms_map_env_pattern != NULL && msEvalRegex (ms_map_env_pattern , mapserv -> request -> ParamValues [i ]) != MS_TRUE ) {
237
+ msSetError (MS_WEBERR , "CGI variable \"map\" fails to validate." , "msCGILoadMap()" );
230
238
return NULL ;
231
239
}
240
+ ms_mapfile = getenv (mapserv -> request -> ParamValues [i ]);
241
+ } else {
242
+ /* by now we know the request isn't for something in an environment variable */
243
+ if (ms_map_no_path != NULL ) {
244
+ msSetError (MS_WEBERR , "CGI variable \"map\" not found in environment and this server is not configured for full paths." , "msCGILoadMap()" );
245
+ return NULL ;
246
+ }
247
+ ms_mapfile = mapserv -> request -> ParamValues [i ];
248
+ }
249
+ }
232
250
233
- /* ok to try to load now */
234
- map = msLoadMap (mapserv -> request -> ParamValues [i ], NULL );
251
+ /* validate ms_mapfile if tainted */
252
+ if (ms_mapfile_tainted == MS_TRUE ) {
253
+ if (msIsValidRegex (ms_map_bad_pattern ) == MS_FALSE || msEvalRegex (ms_map_bad_pattern , ms_mapfile ) == MS_TRUE ) {
254
+ msSetError (MS_WEBERR , "CGI variable \"map\" fails to validate." , "msCGILoadMap()" );
255
+ return NULL ;
256
+ }
257
+ if (ms_map_pattern != NULL && msEvalRegex (ms_map_pattern , ms_mapfile ) != MS_TRUE ) {
258
+ msSetError (MS_WEBERR , "CGI variable \"map\" fails to validate." , "msCGILoadMap()" );
259
+ return NULL ;
235
260
}
236
261
}
237
-
238
262
263
+ /* ok to try to load now */
264
+ map = msLoadMap (ms_mapfile , NULL );
239
265
if (!map ) return NULL ;
240
266
241
267
if (!msLookupHashTable (& (map -> web .validation ), "immutable" )) {
0 commit comments