Security Advisory – Limiting Mapfile Access

Posted:

2021-03-30

This is an important reminder that, as part of a secure deployment, it is important to limit MapServer CGI access to mapfiles. The MapServer CGI has long supported the use of environment variables as a primary mechanism to do this. If you haven’t implemented these controls then that constitutes undue risk that is easily mitigated and we strongly encourage you to do so as soon as possible. It’s also a great time to review those settings if you already have them in place as we’ve recently updated regex examples related to MS_MAP_PATTERN to limit path traversal.

Relevant documentation can be found at:

Please don’t hesitate to reach out with questions.

-the MapServer Project Steering Committee (PSC)