Limit Mapfile Access

Author:

Stephen Lime

Contact:

sdlime at gmail.com

Author:

Jeff McKenna

Contact:

jmckenna at gatewaygeomatics.com

Last Updated:

2022-08-16

The MapServer CGI, by default, will happily attempt to process any mapfile it is asked to. While this might be desireable in a development environment, it is not acceptable for public-facing installations. MapServer supports the use of specific environment variables, set at the web server tier, to limit access. Since the MapServer 7.6.3 release, you are required to use (a combination of) these environment variables to secure your installation; for earlier MapServer versions these environment variables are strongly recommended.

Waarschuwing

The vulnerability CVE-2021-32062 was fixed through the MapServer 7.6.3 release, through requiring the use of the environment variables described in this MapServer document.

Notitie

Environment variables are only referenced by the MapServer CGI and are not used by MapScript in any way.

Key Environment Variables

Zie ook

Associated Pull Request for the 7.6.3 release

Tip

The online tools RegExr & RegEx101 are great for testing regular expressions.

MS_MAP_BAD_PATTERN

Nieuw in versie 7.6.3.

If set, this environment variable is interpreted as regular expression that is used to test the value of the CGI map parameter, by specifying which problematic character sequences to avoid. If the value matches then an error is generated. By default all MapServer installations (since 7.6.3) set a hardcoded value for MS_MAP_BAD_PATTERN of:

[/\\]{2}|[/\\]?\\.+[/\\]|,

which will therefore not allow “/../” or “//” in the map value.

Notitie

For Windows users, MS4W uses the PCRE regex library (which requires a slightly different regex syntax), so all future MS4W releases will contain the following default MS_MAP_BAD_PATTERN enabled (to not allow “/../” or “//” in the map value) :

[\/\\\\]{2}|[\/\\\\]?\.{2,}[\/\\\\]|,

For more information see Securing your MS4W Installation

MS_MAP_NO_PATH

Nieuw in versie 5.4.0.

If set, this environment variable limits values for the CGI map parameter to a curated (prepared) set of mapfiles explicitly defined by additional environment variables. This is the recommended way to secure mapfile access if at all possible.

Notitie

Mapfile-based environment variables (such as MS_MAPFILE) can be used without setting MS_MAP_NO_PATH.

MS_MAP_PATTERN

Nieuw in versie 5.4.0.

If set, this environment variable is interpreted as regular expression that is used to test the value of the CGI map parameter. If the value does not match then an error is generated.

Care must be taken to craft regular expressions that limit access to specific, trusted directories and limit path traversal:. See the Environment Variables guide for examples.

Notitie

If defined, the MS_MAP_PATTERN variable only applies to mapfiles not already defined through an environment variable.

Tip

As of the MapServer 8.0 release, there are 2 scenarios where you won’t have to specify MS_MAP_PATTERN :

  1. If using a map alias (set in the MAPS section of the MapServer CONFIG file).

  2. If MS_MAP_PATTERN is set in the underlying environment - that is, by the Web server. MapServer will fall back to the environment variables if they exist for any of the MS* variables.

Setting Environment Variables

Mechanisms to set environment variables vary from web server to web server, but all provide the capability. (regular expression feature sets can vary by operating system and version)

  • Apache - https://httpd.apache.org/docs/current/env.html

    Apache’s SetEnv directive (available through the mod_env module) allows you to set environment variables in the Apache conf file with a single command:

    • Unix users may set the following expression in Apache to restrict mapfiles to the /opt/mapserver directory and subdirectories:

      SetEnv MS_MAP_PATTERN "^\/opt\/mapserver\/([^\.][_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.(map))$"
      

      Waarschuwing

      During testing during this documentation process, the above MS_MAP_PATTERN failed on an old Debian Wheezy server, on a valid path such as MAP=/opt/mapserver/ogc-demos/wms.map (the dash in the ‘ogr-demos’ folder caused much grief) even though the dash was escaped in the provided character set of the expression.

      Therefore those running older regex libs should use the following instead, which puts the dash at the beginning of the character set of the expression, avoiding the escaping issue:

      SetEnv MS_MAP_PATTERN “^/osgeo/mapserver/([^.][-_A-Za-z0-9.]+/{1})*([-_A-Za-z0-9.]+.(map))$”

    • Windows Apache/MS4W users can set the following expression in the Apache conf file, to limit the possible MAP= paths to the common C:/ms4w/apps/ directory (where all MS4W mapfiles and applications live), allow encoded urls, allow “.” or “_” or “-” in MAP= paths but disallow “..” directory traversing:

      SetEnv MS_MAP_PATTERN "^(C:)?\/ms4w\/apps\/((?!\.{2})[_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.(map))$"
      
  • Nginx - http://nginx.org/en/docs/ngx_core_module.html#env

  • IIS - https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/add/environmentvariables/