On 2017-08-06 8:47 AM, Even Rouault wrote:
Beste / devs,adding the development list in CC. I can confirm the issue on latest mapcache master. The vulnerabililty is the injection of a parameter value between XML comment markers <-- --> used for the error message. When this parameter value starts with --> it ends up the comment part and the rest of the value is then parsed as non-comment XML. By skimming through the code it appears there are several similar instances in this protocol and others as well. I can see 2 options to fix this: - the safer one I think: do not return the invalid parameter value in the error message, but just the parameter name. So returning "Invalid layer name" instead of "Invalid layer {value_of_the_LAYER_parameter}". The important information is the name of the erroneous parameter, not its value (the user can figure it that himself)
I think users need the {value_of_the_LAYER_parameter} Without that, it is impossible to debug with a large mapfile (with or without MapCache).
- a more risky one: sanitize the value that is going to be put inside XML comments <-- --> . So that means at least removing --> sequences, but perhaps other things too ? Even
-jeff -- Jeff McKenna MapServer Consulting and Training Services http://www.gatewaygeomatics.com/ _______________________________________________ mapserver-users mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-users
