[MapServer-dev] MapServer version information in error messages
Seth G
sethg at geographika.co.uk
Wed Jan 25 07:12:31 PST 2023
Hi all,
Does anyone have any thoughts about removing MapServer version information from any errors/responses sent to client applications?
A few relevant online discussions [1] [2]. As MapServer falls more in the generic server category I'd be +1 on removing the details from responses (and leaving them in the client applications).
See https://github.com/MapServer/MapServer/pull/6794 for some more details. I added in Proj and GDAL versions which are handy for admins/debugging, but provide more information to a malevolent party looking to attack a MapServer instance.
Seth
[1] https://softwareengineering.stackexchange.com/questions/345072/is-my-app-version-a-sensitive-information
[2] https://security.stackexchange.com/questions/170352/is-it-safe-to-display-version-information-on-a-public-webpage-of-your-web-app
--
web:https://geographika.net
twitter: @geographika
More information about the MapServer-dev
mailing list