[FGS] [http] Document root for mapserver

Frank Warmerdam warmerdam at pobox.com
Mon Jun 21 10:15:03 EST 2010


Vincent Letocart wrote:
>> I first want to see if the file is correctly accessed. For instance, 
>> I put the example with name 'tutorial_1.map', and I call mapserver
>> from the browser:
>>
>>      http://mysite:8081/cgi-bin/mapserv?map=/tutorial_1.map&layer=states&mode=map
>>
>> as suggested in the tutorial. In the meantime, I 'strace' the httpd
>> processes listening on port 8081, and I see in the browser:
>>
>> 	  msLoadMap(): Unable to access file. (/tutorial_1.map) 
>>
>> and in my trace:
>>
>>     [pid 10870] open("/tutorial_1.map", O_RDONLY) = -1 ENOENT (No such file or directory)
...
>> I do not see why the mapserver process is looking at that place
>> for the mapfile. Moreover, I consider this as dangerous.
>> And, at the end, I cannot get result of the map file processing.
>>
>> Did I miss something in the documentation ??

Vincent,

The MapServer cgi does not know anything about your apache setup, or it's
document root, so it does not evaluate any paths relative to the document
root.

Furthermore there are good security reasons in many cases to keep your map
file outside the publically accessable document tree.

There are mechanisms to restrict the paths that can be used for map= paths
by mapserver.  I believe by default there is a regex in place that ensures
only filenames ending in .map are acceepted.  This at least makes it difficult
to try and trick mapserver into trying to read and then report errors with
potentially sensitive text from files like /etc/passwd.

Note, this is not particularly an FGS question and you might have gotten
an answer sooner asking it on the mapserver users mailing list.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | Geospatial Programmer for Rent



More information about the Foss-gis-suite mailing list