[MapServer-dev] MapServer version information in error messages

Seth G sethg at geographika.co.uk
Thu Jan 26 06:10:40 PST 2023 

Hi all,

Please see https://github.com/MapServer/MapServer/pull/6808. There are lots of changes to expected msautotest results due to missing blank lines after the version number that weren't stripped, but the actual code changes are minimal.

Seth

--
web:https://geographika.net
twitter: @geographika

On Wed, Jan 25, 2023, at 5:00 PM, Steve Lime wrote:
> I'm +1 on cleaning that up as well. I wouldn't think someone would base client behavior on a comment in an error message - too brittle.
> 
> On Wed, Jan 25, 2023 at 9:55 AM Nash, Edward <E.Nash at dvz-mv.de> wrote:
>> I'd be +1 on sending as little information about the server as possible (aka "secure") by default.
>> 
>> Whatever the technical merits, this one always comes up on security checklists, and anything that makes it harder to forget to set everything up correctly is fine by me - assuming the documentation of how to get the version details for debugging is clear and easy to find (as an FAQ, or maybe in a new "Troubleshooting" section in the docs?).
>> 
>> Best regards,
>> 
>> Ed
>> 
>> -----Ursprüngliche Nachricht-----
>> Von: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> Im Auftrag von Seth G
>> Gesendet: Mittwoch, 25. Januar 2023 16:13
>> An: MapServer Devs <mapserver-dev at lists.osgeo.org>
>> Betreff: [MapServer-dev] MapServer version information in error messages
>> 
>> Hi all,
>> 
>> Does anyone have any thoughts about removing MapServer version information from any errors/responses sent to client applications?
>> 
>> A few relevant online discussions [1] [2]. As MapServer falls more in the generic server category I'd be +1 on removing the details from responses (and leaving them in the client applications). 
>> 
>> See https://github.com/MapServer/MapServer/pull/6794 for some more details. I added in Proj and GDAL versions which are handy for admins/debugging, but provide more information to a malevolent party looking to attack a MapServer instance. 
>> 
>> Seth
>> 
>> [1] https://softwareengineering.stackexchange.com/questions/345072/is-my-app-version-a-sensitive-information
>> [2] https://security.stackexchange.com/questions/170352/is-it-safe-to-display-version-information-on-a-public-webpage-of-your-web-app
>> 
>> --
>> web:https://geographika.net
>> twitter: @geographika
>> _______________________________________________
>> MapServer-dev mailing list
>> MapServer-dev at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>> _______________________________________________
>> MapServer-dev mailing list
>> MapServer-dev at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20230126/b8d6fead/attachment.htm>

More information about the MapServer-dev mailing list