[mapserver-dev] Security risk with WMS exceptions?
Daniel Morissette
dmorissette at mapgears.com
Wed May 21 06:22:51 PDT 2014
There are several instances of very detailed error messages like this
one in the postgis driver. Those details are useful for debugging, but
you are right that it is a bit much to expose to the end user. Perhaps
they could be converted to a more generic error message via
msSetError(), and the details moved to a msDebug() call when
layer->debug is set.
Maybe a ticket could be filed about this for when someone has time?
Daniel
On 14-05-21 8:13 AM, Rahkonen Jukka (Tike) wrote:
>
> Hi,
>
> Right now the Mapserver demo server has troubles with connecting to PostgreSQL and GetMaps like
>
> http://demo.mapserver.org/cgi-bin/foss4g?&SERVICE=WMS&VERSION=1.1.1%20&REQUEST=GetMap&LAYERS=OSM_Denver&STYLES=&SRS=EPSG:4326&BBOX=-105.208290,39.542378,-104.769779,39.980889&WIDTH=100&HEIGHT=100&FORMAT=image/png
> leads to this error message:
>
> <?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?>
> <!DOCTYPE ServiceExceptionReport SYSTEM "http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd">
> <ServiceExceptionReport version="1.1.1">
> <ServiceException>
> msDrawMap(): Image handling error. Failed to draw layer named 'landuse_layer4'.
> msPostGISLayerOpen(): Query error. Database connection failed (FATAL: database "osm" does not exist
> ) with connect string 'host=localhost dbname=osm user=www-data password=******** port=5432'
> Is the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?
> </ServiceException>
> </ServiceExceptionReport>
>
> Well, the message does not reveal the password and it gives useful information for the Mapserver admin. But does it make sense to send this information to WMS users?
>
> -Jukka Rahkonen-
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
--
Daniel Morissette
T: +1 418-696-5056 #201
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000
More information about the mapserver-dev
mailing list