Limit Mapfile Access¶
- Author
Stephen Lime
- Contact
sdlime at gmail.com
- Author
Jeff McKenna
- Contact
jmckenna at gatewaygeomatics.com
- Last Updated
2021-06-03
The MapServer CGI, by default, will happily attempt to process any mapfile it is asked to. While this might be desireable in a development environment, it is not acceptable for public-facing installations. MapServer supports the use of specific environment variables, set at the web server tier, to limit access. Since the MapServer 7.6.3 release, you are required to use (a combination of) these environment variables to secure your installation; for earlier MapServer versions these environment variables are strongly recommended.
Warning
The vulnerability CVE-2021-32062 was fixed through the MapServer 7.6.3 release, through requiring the use of the environment variables described in this MapServer document.
Note
Environment variables are only referenced by the MapServer CGI and are not used by MapScript in any way.
Key Environment Variables¶
See also
See also
Associated Pull Request for the 7.6.3 release
MS_MAP_BAD_PATTERN
New in version 7.6.3.
If set, this environment variable is interpreted as regular expression that is used to test the value of the CGI map parameter, by specifying which problematic character sequences to avoid. If the value matches then an error is generated. By default all MapServer installations (since 7.6.3) set a hardcoded value for MS_MAP_BAD_PATTERN of:
[/\\]{2}|[/\\]?\\.+[/\\]|,
which will therefore not allow “/../” or “//” in the map value.
Note
For Windows users, MS4W uses the PCRE regex library (which requires a slightly different regex syntax), so all future MS4W releases will contain the following default MS_MAP_BAD_PATTERN enabled (to not allow “/../” or “//” in the map value) :
[\/\\\\]{2}|[\/\\\\]?\.{2,}[\/\\\\]|,
For more information see Securing your MS4W Installation
MS_MAP_NO_PATH
New in version 5.4.0.
If set, this environment variable limits values for the CGI map parameter to a curated (prepared) set of mapfiles explicitly defined by additional environment variables. This is the recommended way to secure mapfile access if at all possible.
Note
Mapfile-based environment variables (such as MS_MAPFILE) can be used without setting MS_MAP_NO_PATH.
MS_MAP_PATTERN
New in version 5.4.0.
If set, this environment variable is interpreted as regular expression that is used to test the value of the CGI map parameter. If the value does not match then an error is generated.
Care must be taken to craft regular expressions that limit access to specific, trusted directories and limit path traversal:. See the Environment Variables guide for examples.
Note
If defined, the MS_MAP_PATTERN variable only applies to mapfiles not already defined through an environment variable.
Setting Environment Variables¶
Mechanisms to set environment variables vary from web server to web server, but all provide the capability. (regular expression feature sets can vary by operating system and version)
Apache - https://httpd.apache.org/docs/current/env.html
Apache’s SetEnv directive (available through the mod_env module) allows you to set environment variables in the Apache conf file with a single command:
Unix users may set the following expression in Apache to restrict mapfiles to the /opt/mapserver directory and subdirectories:
SetEnv MS_MAP_PATTERN "^\/opt\/mapserver\/([^\.][_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.(map))$"
Warning
During testing during this documentation process, the above MS_MAP_PATTERN failed on an old Debian Wheezy server, on a valid path such as MAP=/opt/mapserver/ogc-demos/wms.map (the dash in the ‘ogr-demos’ folder caused much grief) even though the dash was escaped in the provided character set of the expression.
Therefore those running older regex libs should use the following instead, which puts the dash at the beginning of the character set of the expression, avoiding the escaping issue:
SetEnv MS_MAP_PATTERN “^/osgeo/mapserver/([^.][-_A-Za-z0-9.]+/{1})*([-_A-Za-z0-9.]+.(map))$”
Windows Apache/MS4W users can set the following expression in the Apache conf file, to limit the possible MAP= paths to the common C:/ms4w/apps/ directory (where all MS4W mapfiles and applications live), allow encoded urls, allow “.” or “_” or “-” in MAP= paths but disallow “..” directory traversing:
SetEnv MS_MAP_PATTERN "^(C:)?\/ms4w\/apps\/((?!\.{2})[_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.(map))$"