Can you expand on the potential security issue posed by using the path name?
Thanks,
Rob
________________________________
From: Richard Greenwood <richard.greenw...@gmail.com>
Sent: Thursday, March 20, 2025 1:34 PM
To: Rob Dennett <rob.denn...@twdb.texas.gov>
Cc: mapserver <mapserver-users@lists.osgeo.org>
Subject: Re: [MapServer-users] Is there a way to set the document root for .map
files?
External: Beware of links/attachments.
This doesn't exactly answer your question, but directly referencing your map
file in the URL is discouraged because it's a potential security issue. The
"best practice" is to create an alias to each of your map files. For mapserv >=
8.0 that can be done in the mapserver.conf file, for example:
MAP
foo1 "/path/to/foo1.map
foo2 "/path/to/foo2.map
END
or for mapserv < 8.0 it can be done in the Apache config:
SetEnv foo1 "/path/to/foo1.map"
SetEnv foo1 "/path/to/foo1.map"
And then "best practice" is to block access to map files on the file system with
MS_MAP_NO_PATH "1"
which is done in the mapserver.conf or the Apache conf depending on mapserv
version.
If you still want to reference map files in the http request I believe they are
relative to the mapserv binary (I'm saying this from memory, so I might be
wrong). So you could put a symlink in your cgi-bin/ to /path/to/mapfiles/ but I
think that's a terrible idea.
Rich
On Thu, Mar 20, 2025 at 9:37 AM Rob Dennett via MapServer-users
<mapserver-users@lists.osgeo.org<mailto:mapserver-users@lists.osgeo.org>> wrote:
Is there a way to set a sort of document root for .map files and other files
.map files might reference? For example, my .map files are found at the root
of an S3 bucket and we're trying to use an EFS volume instead. Our URLs
currently look like
https://www.ourOrg.com/cgi-bin/mapserv/?map=/foo.map&;...
Where foo.map lives in the root of the s3 bucket. With the new system we want,
it will live at the root of the EFS volume, but with that volume mounted in a
different directory in the docker container where MapServer runs, e.g.
/ourOrg_mapserver. The file system in the container is
/ourOrg_mapserver/foo.map
There are many existing URLs in our client apps as well as 3rd party customer
apps which use the above URL. Is there a way to set up mapserver so that
/ourOrg_mapserver acts like an Apache document root so that existing stuff
won't need to change?
Thanks,
Rob
_______________________________________________
MapServer-users mailing list
MapServer-users@lists.osgeo.org<mailto:MapServer-users@lists.osgeo.org>
https://lists.osgeo.org/mailman/listinfo/mapserver-users
--
Richard W. Greenwood
www.greenwoodmap.com<http://www.greenwoodmap.com>
_______________________________________________
MapServer-users mailing list
MapServer-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
