Re: [mapserver-users] 7.6.3 released - includes important security fix

2021-06-03 Thread Jeff McKenna via mapserver-users 
The associated CVE security ID for this is: CVE-2021-32062 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32062


-jeff


--
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/



On 2021-04-30 7:55 p.m., Steve Lime wrote:
The MapServer team is pleased (kinda) to announce the 7.6.3 security and 
maintenance release.


Importantly, this release addresses a flaw, discovered by project 
developers, in MapServer CGI mapfile loading that makes it possible to 
bypass security controls (ticket #6313). This flaw makes it difficult to 
easily limit where MapServer can load a mapfile from and affects 
versions 4.10 and later. This is a critical issue and all users are 
encouraged to update as soon as possible.


What does this mean for you?

 1. If you've not used MS_MAP_PATTERN or MS_MAP_NO_PATH as part of
securing your installation then this doesn't have much impact since
you're not using the controls. That said, this is a critical
configuration step and you should upgrade and make use of those
controls to limit where mapfiles can be accessed.
 2. If you've relied on MS_MAP_PATTERN exclusively, you should upgrade
and be in good shape. However, it's a great time to review and test
MS_MAP_PATTERN.
 3. If you've relied on MS_MAP_NO_PATH primarily (like me), you should
upgrade and set a value for MS_MAP_PATTERN.

We are simultaneously releasing versions 7.0.8, 7.2.3 and 7.4.5 as well. 
Updates to binary distributions will follow ASAP.


For the list of additional changes see the Changelog at 
https://mapserver.org/development/changelog/changelog-7-6.html 
 Or head 
to Download at https://mapserver.org/download.html 
 For those wanting searchable 
offline documentation, the updated PDF is available at 
https://download.osgeo.org/mapserver/docs/MapServer.pdf 



-- The MapServer Team




___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users

Re: [mapserver-users] SUM: MapServer PostGIS: WMS Layers Without Features

2021-06-03 Thread Rahkonen Jukka (MML) via mapserver-users 
Hi,

All Mapserver admins do that error every now and then.

There is a configuration option in the QGIS WMS Connection editor “Ignore 
GetMap/GetTile/GetLegendGraphic URI reported in capabilities” that helps to 
access many misconfigured WMS servers. If you check that box the same base URL 
that is used for GetCapabilities is used also for other requests. Other clients 
may have similar configuration option, at least OpenJUMP does.

-Jukka Rahkonen-

Lähettäjä: mapserver-users  Puolesta 
Nathan L via mapserver-users
Lähetetty: torstai 3. kesäkuuta 2021 19.15
Vastaanottaja: mapserver-users@lists.osgeo.org
Aihe: [mapserver-users] SUM: MapServer PostGIS: WMS Layers Without Features

Earlier, I asked why my MapServer PostGIS implementation was producing a WMS 
service without any layers in it. The original question in detail is at the 
bottom of this summary.

The responses here and in other forums were quite helpful. It narrowed down the 
problem to about ten areas, which I dutifully examined as a checklist. Richard 
Greenwood's earliest suggestions happened to be the most helpful. He suggested 
to look at the Apache logs to see what requests QGIS or ArcGIS was sending to 
MapServer. I'm glad I did - they kept redirecting in the URL to a "wms.map" 
file at the root directory that didn't exist.

I then looked at my mapfile and lo and behold, I was the one redirecting it! I 
had taken example code from the Setup a Mapfile For Your 
WMS 
documentation and hadn't customized it to my implementation. The example code 
wasn't annotated so I didn't realize it included an example that required 
revision.

It was in the WMS Metadata of the mapfile, where:
"wms_onlineresource" "http://localhost/cgi-bin/mapserv.exe?map=wms.map&?;

I changed it to point to the actual mapfile location:
"wms_onlineresource" 
"http://localhost/cgi-bin/mapserv.exe?map=%2Fms4w%2Fapps%2Fsegis-demo%2Fmap-segis-demo.map&?;

Ironic as it was a line in the mapfile that redirected the run of the program 
away from itself. I'm so very grateful for the responses I received to help me 
solve my (self-inflicted, as many are...) problem.

Nathan Tyler Lowry
Comprehensive GIS Solutions
(719) 208-7092 Desk
(719) 963-3571 Cell
(719) 960-2084 Fax
nathan.tyler.lo...@gmail.com
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users

[mapserver-users] SUM: MapServer PostGIS: WMS Layers Without Features

2021-06-03 Thread Nathan L via mapserver-users 
Earlier, I asked why my MapServer PostGIS implementation was producing a
WMS service without any layers in it. The original question in detail is at
the bottom of this summary.

The responses here and in other forums were quite helpful. It narrowed down
the problem to about ten areas, which I dutifully examined as a checklist.
Richard Greenwood's earliest suggestions happened to be the most helpful.
He suggested to look at the Apache logs to see what requests QGIS or ArcGIS
was sending to MapServer. I'm glad I did - they kept redirecting in the URL
to a "wms.map" file at the root directory that didn't exist.

I then looked at my mapfile and lo and behold, I was the one redirecting
it! I had taken example code from the Setup a Mapfile For Your WMS

documentation
and hadn't customized it to my implementation. The example code wasn't
annotated so I didn't realize it included an example that required revision.

It was in the WMS Metadata of the mapfile, where:
"wms_onlineresource" "http://localhost/cgi-bin/mapserv.exe?map=wms.map&?;

I changed it to point to the actual mapfile location:
"wms_onlineresource" "
http://localhost/cgi-bin/mapserv.exe?map=%2Fms4w%2Fapps%2Fsegis-demo%2Fmap-segis-demo.map;
?"

Ironic as it was a line in the mapfile that redirected the run of the
program away from itself. I'm so very grateful for the responses I received
to help me solve my (self-inflicted, as many are...) problem.

Nathan Tyler Lowry
Comprehensive GIS Solutions
(719) 208-7092 Desk
(719) 963-3571 Cell
(719) 960-2084 Fax
nathan.tyler.lo...@gmail.com
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users

Re: [mapserver-users] CGI variable "map" fails to validate.

2021-06-03 Thread Steve Lime via mapserver-users 
I should note that 7.6.3 (also 7.4.5, 7.2.3 and 7.0.8) should make defining
a value for MS_MAP_PATTERN much simpler. We updated things to use two
filters instead of one. The first, MS_MAP_BAD_PATTERN, checks for
problematic character sequences in the map value, for example /./, /../ or
// and fails if there is a match. This means you don't have to account for
those with MS_MAP_PATTERN alone and you can just write something simple
like:

  MS_MAP_PATTERN "^\/etc\/mapserver"

You need to be running the latest version for this to work as intended and
of course that's strongly recommended.

--Steve


On Thu, Jun 3, 2021 at 8:12 AM Jeff McKenna via mapserver-users <
mapserver-users@lists.osgeo.org> wrote:

> Hi David,
>
> MS4W also uses PCRE for its regex engine, so Windows users will soon be
> facing these same issues as you (I'll be making this as easy as possible
> for the new Windows users).
>
> So to answer your question: I believe most users aren't yet aware of
> what regex engine they use, and, also I believe that the PCRE regex
> engine is used more frequently in the MapServer community than what is
> believed.  (most automated tests do not use PCRE, for example, even
> though it is so commonly used)
>
> I'm not sure if I have the answer that you need, but I wanted to give a
> perspective from the Windows side.
>
> -jeff
>
>
> --
> Jeff McKenna
> GatewayGeo: Developers of MS4W, MapServer Consulting and Training
> co-founder of FOSS4G
> http://gatewaygeo.com/
>
>
>
> On 2021-06-03 9:29 a.m., David Pavlíček via mapserver-users wrote:
> > Hi Steve,
> > your pattern works like a charm... escaped hyphen was the issue. I
> > tested the previous regex with regex101.com  and
> it
> > matches with no problems against most of the available variants except
> > PCRE. Which regex engine is suitable for a test against MapServer?
> >
> > Thank you.
> >
> > st 2. 6. 2021 v 15:16 odesílatel Steve Lime  > > napsal:
> >
> > Hi David: Presumably the Docker image is running the most recent
> > version of 7.4 which would have that pull request applied. That
> > said, I don't think it's the culprit here and I have seen some
> > issues with -'s where the MS_MAP_PATTERN expression compiles fine
> > but doesn't match as expected. Re-writing the expression to move the
> > - character can help. Try this:
> >
> >
> >
>  
> MS_MAP_PATTERN=^\/etc\/mapserver\/([^\.][-_A-Za-z0-9\.]+\/{1})*([-_A-Za-z0-9\.]+\.map)$
> >
> > --Steve
> >
> > On Wed, Jun 2, 2021 at 3:07 AM David Pavlíček via mapserver-users
> >  > > wrote:
> >
> > Hello,
> > I'm using camptocamp/mapserver:7.4 docker image to run mapserver
> > on our servers and I have recently encountered this error:
> >
> > [warn] [pid 25] mod_fcgid: stderr: msCGILoadMap(): Web
> > application error. CGI variable "map" fails to validate.
> > 2098 - 172.17.0.1 - - [02/Jun/2021:04:57:42 +] "GET
> >
>  
> /?map=/etc/mapserver/puobod/krpk-puobod-red.map=getcapabilities=WMS"
> >
> > In fact, any mapfile with hyphens won't work. They fail against
> > MS_MAP_PATTERN regex or something. This is strange because I
> > tested this regex and it works fine. Container MS ENV variables
> > look like this:
> >
> > MS_ERRORFILE=stderr
> >
>  
> MS_MAP_PATTERN=^\/etc\/mapserver\/([^\.][_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.map)$
> > MS_DEBUGLEVEL=0
> > MS_MAPFILE=/etc/mapserver/mapserver.map
> >
> > Maybe something related to this PR:
> > https://github.com/MapServer/MapServer/pull/6314
> > 
> >
> > Any suggestions about that? Renaming project is not an option
> > because they are referenced in many places outside of our direct
> > reach (GIS clients, servers, etc)
> >
> > Thanks, David
> ___
> mapserver-users mailing list
> mapserver-users@lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-users
>
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users

Re: [mapserver-users] CGI variable "map" fails to validate.

2021-06-03 Thread Jeff McKenna via mapserver-users 

Hi David,

MS4W also uses PCRE for its regex engine, so Windows users will soon be 
facing these same issues as you (I'll be making this as easy as possible 
for the new Windows users).


So to answer your question: I believe most users aren't yet aware of 
what regex engine they use, and, also I believe that the PCRE regex 
engine is used more frequently in the MapServer community than what is 
believed.  (most automated tests do not use PCRE, for example, even 
though it is so commonly used)


I'm not sure if I have the answer that you need, but I wanted to give a 
perspective from the Windows side.


-jeff


--
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/



On 2021-06-03 9:29 a.m., David Pavlíček via mapserver-users wrote:

Hi Steve,
your pattern works like a charm... escaped hyphen was the issue. I 
tested the previous regex with regex101.com  and it 
matches with no problems against most of the available variants except 
PCRE. Which regex engine is suitable for a test against MapServer?


Thank you.

st 2. 6. 2021 v 15:16 odesílatel Steve Lime > napsal:


Hi David: Presumably the Docker image is running the most recent
version of 7.4 which would have that pull request applied. That
said, I don't think it's the culprit here and I have seen some
issues with -'s where the MS_MAP_PATTERN expression compiles fine
but doesn't match as expected. Re-writing the expression to move the
- character can help. Try this:

  
MS_MAP_PATTERN=^\/etc\/mapserver\/([^\.][-_A-Za-z0-9\.]+\/{1})*([-_A-Za-z0-9\.]+\.map)$


--Steve

On Wed, Jun 2, 2021 at 3:07 AM David Pavlíček via mapserver-users
mailto:mapserver-users@lists.osgeo.org>> wrote:

Hello,
I'm using camptocamp/mapserver:7.4 docker image to run mapserver
on our servers and I have recently encountered this error:

[warn] [pid 25] mod_fcgid: stderr: msCGILoadMap(): Web
application error. CGI variable "map" fails to validate.
2098 - 172.17.0.1 - - [02/Jun/2021:04:57:42 +] "GET

/?map=/etc/mapserver/puobod/krpk-puobod-red.map=getcapabilities=WMS"

In fact, any mapfile with hyphens won't work. They fail against
MS_MAP_PATTERN regex or something. This is strange because I
tested this regex and it works fine. Container MS ENV variables
look like this:

MS_ERRORFILE=stderr

MS_MAP_PATTERN=^\/etc\/mapserver\/([^\.][_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.map)$
MS_DEBUGLEVEL=0
MS_MAPFILE=/etc/mapserver/mapserver.map

Maybe something related to this PR:
https://github.com/MapServer/MapServer/pull/6314


Any suggestions about that? Renaming project is not an option
because they are referenced in many places outside of our direct
reach (GIS clients, servers, etc)

Thanks, David

___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users

Re: [mapserver-users] CGI variable "map" fails to validate.

2021-06-03 Thread David Pavlíček via mapserver-users 
Hi Steve,
your pattern works like a charm... escaped hyphen was the issue. I tested
the previous regex with regex101.com and it matches with no problems
against most of the available variants except PCRE. Which regex engine is
suitable for a test against MapServer?

Thank you.

st 2. 6. 2021 v 15:16 odesílatel Steve Lime  napsal:

> Hi David: Presumably the Docker image is running the most recent version
> of 7.4 which would have that pull request applied. That said, I don't think
> it's the culprit here and I have seen some issues with -'s where the
> MS_MAP_PATTERN expression compiles fine but doesn't match as expected.
> Re-writing the expression to move the - character can help. Try this:
>
>
> MS_MAP_PATTERN=^\/etc\/mapserver\/([^\.][-_A-Za-z0-9\.]+\/{1})*([-_A-Za-z0-9\.]+\.map)$
>
> --Steve
>
> On Wed, Jun 2, 2021 at 3:07 AM David Pavlíček via mapserver-users <
> mapserver-users@lists.osgeo.org> wrote:
>
>> Hello,
>> I'm using camptocamp/mapserver:7.4 docker image to run mapserver on our
>> servers and I have recently encountered this error:
>>
>> [warn] [pid 25] mod_fcgid: stderr: msCGILoadMap(): Web application error.
>> CGI variable "map" fails to validate.
>> 2098 - 172.17.0.1 - - [02/Jun/2021:04:57:42 +] "GET
>> /?map=/etc/mapserver/puobod/krpk-puobod-red.map=getcapabilities=WMS"
>>
>> In fact, any mapfile with hyphens won't work. They fail against
>> MS_MAP_PATTERN regex or something. This is strange because I tested this
>> regex and it works fine. Container MS ENV variables look like this:
>>
>> MS_ERRORFILE=stderr
>>
>> MS_MAP_PATTERN=^\/etc\/mapserver\/([^\.][_A-Za-z0-9\-\.]+\/{1})*([_A-Za-z0-9\-\.]+\.map)$
>> MS_DEBUGLEVEL=0
>> MS_MAPFILE=/etc/mapserver/mapserver.map
>>
>> Maybe something related to this PR:
>> https://github.com/MapServer/MapServer/pull/6314
>>
>> Any suggestions about that? Renaming project is not an option because
>> they are referenced in many places outside of our direct reach (GIS
>> clients, servers, etc)
>>
>> Thanks, David
>> ___
>> mapserver-users mailing list
>> mapserver-users@lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-users
>>
>
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users