[MapServer-dev] MapServer version information in error messages
Steve Lime
sdlime at gmail.com
Wed Jan 25 08:00:33 PST 2023
I'm +1 on cleaning that up as well. I wouldn't think someone would base
client behavior on a comment in an error message - too brittle.
On Wed, Jan 25, 2023 at 9:55 AM Nash, Edward <E.Nash at dvz-mv.de> wrote:
> I'd be +1 on sending as little information about the server as possible
> (aka "secure") by default.
>
> Whatever the technical merits, this one always comes up on security
> checklists, and anything that makes it harder to forget to set everything
> up correctly is fine by me - assuming the documentation of how to get the
> version details for debugging is clear and easy to find (as an FAQ, or
> maybe in a new "Troubleshooting" section in the docs?).
>
> Best regards,
>
> Ed
>
> -----Ursprüngliche Nachricht-----
> Von: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> Im Auftrag von
> Seth G
> Gesendet: Mittwoch, 25. Januar 2023 16:13
> An: MapServer Devs <mapserver-dev at lists.osgeo.org>
> Betreff: [MapServer-dev] MapServer version information in error messages
>
> Hi all,
>
> Does anyone have any thoughts about removing MapServer version information
> from any errors/responses sent to client applications?
>
> A few relevant online discussions [1] [2]. As MapServer falls more in the
> generic server category I'd be +1 on removing the details from responses
> (and leaving them in the client applications).
>
> See https://github.com/MapServer/MapServer/pull/6794 for some more
> details. I added in Proj and GDAL versions which are handy for
> admins/debugging, but provide more information to a malevolent party
> looking to attack a MapServer instance.
>
> Seth
>
> [1]
> https://softwareengineering.stackexchange.com/questions/345072/is-my-app-version-a-sensitive-information
> [2]
> https://security.stackexchange.com/questions/170352/is-it-safe-to-display-version-information-on-a-public-webpage-of-your-web-app
>
> --
> web:https://geographika.net
> twitter: @geographika
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20230125/bf1ed9c4/attachment.htm>
More information about the MapServer-dev
mailing list