Not only is exposing your .map files not a great idea, you should
consider wrapping your mapserv url in a php/python/etc script.
That way you can filter any passed data to see if it's suspect or just
gather stats. More importantly, it hides any info about your backend,
including the name of the mapserv binary. I rename mapserv to a
non-obvious name in cgi-bin and use a wrapper.
In your case, using a wrapper around mapserv would allow you to hard
code one single url for all you apps/client, then the wrapper could
update the url based on customer.
You could also set up a redirect in your web server to redirect all
/cgi-bin/mapserv requests to that wrapper.
Scott
On 3/20/25 14:05, Rob Dennett via MapServer-users wrote:
Can you expand on the potential security issue posed by using the path
name?
Thanks,
Rob
------------------------------------------------------------------------
*From:* Richard Greenwood <richard.greenw...@gmail.com>
*Sent:* Thursday, March 20, 2025 1:34 PM
*To:* Rob Dennett <rob.denn...@twdb.texas.gov>
*Cc:* mapserver <mapserver-users@lists.osgeo.org>
*Subject:* Re: [MapServer-users] Is there a way to set the document root
for .map files?
External: Beware of links/attachments.
This doesn't exactly answer your question, but directly referencing your
map file in the URL is discouraged because it's a potential
security issue. The "best practice" is to create an alias to each of
your map files. For mapserv >= 8.0 that can be done in the
mapserver.conf file, for example:
MAP
foo1 "/path/to/foo1.map
foo2 "/path/to/foo2.map
END
or for mapserv < 8.0 it can be done in the Apache config:
SetEnv foo1 "/path/to/foo1.map"
SetEnv foo1 "/path/to/foo1.map"
And then "best practice" is to block access to map files on the file
system with
MS_MAP_NO_PATH "1"
which is done in the mapserver.conf or the Apache conf depending on
mapserv version.
If you still want to reference map files in the http request I believe
they are relative to the mapserv binary (I'm saying this from memory, so
I might be wrong). So you could put a symlink in your cgi-bin/ to /path/
to/mapfiles/ but I think that's a terrible idea.
Rich
On Thu, Mar 20, 2025 at 9:37 AM Rob Dennett via MapServer-users
<mapserver-users@lists.osgeo.org <mailto:mapserver-
us...@lists.osgeo.org>> wrote:
Is there a way to set a sort of document root for .map files and
other files .map files might reference? For example, my .map files
are found at the root of an S3 bucket and we're trying to use an EFS
volume instead. Our URLs currently look like
https://www.ourOrg.com/cgi-bin/mapserv/?map=/foo.map&;. <https://
www.ourOrg.com/cgi-bin/mapserv/?map=/foo.map&.>..
Where foo.map lives in the root of the s3 bucket. With the new
system we want, it will live at the root of the EFS volume, but with
that volume mounted in a different directory in the docker container
where MapServer runs, e.g. /ourOrg_mapserver. The file system in
the container is
/ourOrg_mapserver/foo.map
There are many existing URLs in our client apps as well as 3rd party
customer apps which use the above URL. Is there a way to set up
mapserver so that /ourOrg_mapserver acts like an Apache document
root so that existing stuff won't need to change?
Thanks,
Rob
_______________________________________________
MapServer-users mailing list
MapServer-users@lists.osgeo.org <mailto:MapServer-users@lists.osgeo.org>
https://lists.osgeo.org/mailman/listinfo/mapserver-users <https://
lists.osgeo.org/mailman/listinfo/mapserver-users>
--
Richard W. Greenwood
www.greenwoodmap.com <http://www.greenwoodmap.com>
_______________________________________________
MapServer-users mailing list
MapServer-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
_______________________________________________
MapServer-users mailing list
MapServer-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
