msLoadMapContext(): add validation of filename against MS_CONTEXTFILE_PATTERN, which defaults to .xml extension

rouault · rouault · commit f49a01db3e11 · 2023-01-03T21:11:54.000+01:00
diff --git a/mapcontext.c b/mapcontext.c
@@ -30,6 +30,7 @@
 #include "mapows.h"
 
 #include "cpl_vsi.h"
+#include "cpl_conv.h"
 
 
 #if defined(USE_WMS_LYR)
@@ -1130,6 +1131,12 @@ int msLoadMapContext(mapObj *map, const char *filename, int unique_layer_names)
   int nVersion=-1;
   char szVersionBuf[OWS_VERSION_MAXLEN];
 
+  const char *ms_contextfile_pattern = CPLGetConfigOption("MS_CONTEXTFILE_PATTERN", MS_DEFAULT_CONTEXTFILE_PATTERN);
+  if(msEvalRegex(ms_contextfile_pattern, filename) != MS_TRUE) {
+    msSetError(MS_REGEXERR, "Filename validation failed." , "msLoadMapContext()");
+    return MS_FAILURE;
+  }
+
   /*  */
   /* Load the raw XML file */
   /*  */
diff --git a/mapserver.h b/mapserver.h
@@ -231,6 +231,7 @@ extern "C" {
 #else
 #define MS_DEFAULT_MAPFILE_PATTERN "\\.map$"
 #endif
+#define MS_DEFAULT_CONTEXTFILE_PATTERN "\\.[Xx][Mm][Ll]$"
 #define MS_TEMPLATE_MAGIC_STRING "MapServer Template"
 #define MS_TEMPLATE_EXPR "\\.(xml|wml|html|htm|svg|kml|gml|js|tmpl)$"
 
