[MapServer-dev] MapServer version information in error messages
Nash, Edward
E.Nash at dvz-mv.de
Wed Jan 25 07:46:59 PST 2023
I'd be +1 on sending as little information about the server as possible (aka "secure") by default.
Whatever the technical merits, this one always comes up on security checklists, and anything that makes it harder to forget to set everything up correctly is fine by me - assuming the documentation of how to get the version details for debugging is clear and easy to find (as an FAQ, or maybe in a new "Troubleshooting" section in the docs?).
Best regards,
Ed
-----Ursprüngliche Nachricht-----
Von: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> Im Auftrag von Seth G
Gesendet: Mittwoch, 25. Januar 2023 16:13
An: MapServer Devs <mapserver-dev at lists.osgeo.org>
Betreff: [MapServer-dev] MapServer version information in error messages
Hi all,
Does anyone have any thoughts about removing MapServer version information from any errors/responses sent to client applications?
A few relevant online discussions [1] [2]. As MapServer falls more in the generic server category I'd be +1 on removing the details from responses (and leaving them in the client applications).
See https://github.com/MapServer/MapServer/pull/6794 for some more details. I added in Proj and GDAL versions which are handy for admins/debugging, but provide more information to a malevolent party looking to attack a MapServer instance.
Seth
[1] https://softwareengineering.stackexchange.com/questions/345072/is-my-app-version-a-sensitive-information
[2] https://security.stackexchange.com/questions/170352/is-it-safe-to-display-version-information-on-a-public-webpage-of-your-web-app
--
web:https://geographika.net
twitter: @geographika
_______________________________________________
MapServer-dev mailing list
MapServer-dev at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-dev
More information about the MapServer-dev
mailing list