On 2017-08-06 8:47 AM, Even Rouault wrote:
Beste / devs,

adding the development list in CC.

I can confirm the issue on latest mapcache master. The vulnerabililty is the
injection of a parameter value between XML comment markers <-- --> used for
the error message. When this parameter value starts with --> it ends up the
comment part and the rest of the value is then parsed as non-comment XML.
By skimming through the code it appears there are several similar instances in
this protocol and others as well.

I can see 2 options to fix this:
- the safer one I think: do not return the invalid parameter value in the
error message, but just the parameter name. So returning "Invalid layer name"
instead of "Invalid layer {value_of_the_LAYER_parameter}". The important
information is the name of the erroneous parameter, not its value (the user
can figure it that himself)

I think users need the {value_of_the_LAYER_parameter} Without that, it is impossible to debug with a large mapfile (with or without MapCache).

- a more risky one: sanitize the value that is going to be put inside XML
comments <--  --> . So that means at least removing --> sequences, but perhaps
other things too ?



Jeff McKenna
MapServer Consulting and Training Services
mapserver-users mailing list

Reply via email to