Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Information disclosure at context parameter #6779

Closed
holsandre opened this issue Dec 30, 2022 · 0 comments · Fixed by #6780
Closed

Information disclosure at context parameter #6779

holsandre opened this issue Dec 30, 2022 · 0 comments · Fixed by #6780
Assignees
@rouault

Comments

@holsandre
Copy link

Steps to reproduce the problem.

see the output of these 2 requests, it gives the information which file is on the system and which is not

https://demo.mapserver.org/cgi-bin/wms?context=/etc/passwd

https://demo.mapserver.org/cgi-bin/wms?context=/etc/passwd2

Expected behavior

there should be an env paramenter like MS_MAP_PATTERN for context files
@rouault rouault self-assigned this Dec 30, 2022
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
msCGILoadMap(): do not load file pointed by CONTEXT= unless it valida…
7a85086 
…tes new MS_MAP_CONTEXT_PATTERN configuration option (and doesn't validate MS_MAP_CONTEXT_BAD_PATTERN) (fixes MapServer#6779)
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
msautotest: add a test for CONTEXT= loading (refs MapServer#6779)
775c29c
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
msGetMapContextFileText(): add sanity check on file size (refs MapSer…
5d5298c 
…ver#6779)
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
CI: check that we can't load a OWS context file if MS_MAP_CONTEXT_PAT…
b440ec5 
…TERN is not defined (refs MapServer#6779)
@rouault rouault mentioned this issue Dec 30, 2022
Merged
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
msCGILoadMap(): do not load file pointed by CONTEXT= unless it valida…
cd291c7 
…tes new MS_CONTEXT_PATTERN configuration option (and doesn't validate MS_CONTEXT_BAD_PATTERN) (fixes MapServer#6779)
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
msautotest: add a test for CONTEXT= loading (refs MapServer#6779)
287347c
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
msGetMapContextFileText(): add sanity check on file size (refs MapSer…
a4325bb 
…ver#6779)
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
CI: check that we can't load a OWS context file if MS_CONTEXT_PATTERN…
0f36806 
… is not defined (refs MapServer#6779)
rouault added a commit to rouault/mapserver that referenced this issue Dec 30, 2022
@rouault
CI: check that we can't load a OWS context file if MS_CONTEXT_PATTERN…
4d4ec60 
… is not defined (refs MapServer#6779)
github-actions bot pushed a commit that referenced this issue Jan 3, 2023
@rouault @github-actions
msCGILoadMap(): do not load file pointed by CONTEXT= unless it valida…
dcc7749 
…tes new MS_CONTEXT_PATTERN configuration option (and doesn't validate MS_CONTEXT_BAD_PATTERN) (fixes #6779)
github-actions bot pushed a commit that referenced this issue Jan 3, 2023
@rouault @github-actions
msautotest: add a test for CONTEXT= loading (refs #6779)
a755ae8
github-actions bot pushed a commit that referenced this issue Jan 3, 2023
@rouault @github-actions
msGetMapContextFileText(): add sanity check on file size (refs #6779)
b65b1db
github-actions bot pushed a commit that referenced this issue Jan 3, 2023
@rouault @github-actions
CI: check that we can't load a OWS context file if MS_CONTEXT_PATTERN…
036e8dd 
… is not defined (refs #6779)
rouault added a commit to rouault/mapserver that referenced this issue Jan 3, 2023
@rouault
msCGILoadMap(): do not load file pointed by CONTEXT= unless it valida…
1ab19e7 
…tes new MS_CONTEXT_PATTERN configuration option (and doesn't validate MS_CONTEXT_BAD_PATTERN) (fixes MapServer#6779)
rouault added a commit to rouault/mapserver that referenced this issue Jan 3, 2023
@rouault
msautotest: add a test for CONTEXT= loading (refs MapServer#6779)
1c2b6f8
rouault added a commit to rouault/mapserver that referenced this issue Jan 3, 2023
@rouault
msGetMapContextFileText(): add sanity check on file size (refs MapSer…
7589699 
…ver#6779)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rouault rouault

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix information disclosure and denial of service related to CONTEXT= loading rouault/mapserver
2 participants
@rouault @holsandre