[MapServer-dev] MapServer version information in error messages
Tom Kralidis
tomkralidis at gmail.com
Thu Jan 26 08:45:50 PST 2023
I guess having this configurable is overkill? Regardless, +1 in
support of Postel's
Law here.
..Tom
On Wed, Jan 25, 2023 at 11:00 AM Steve Lime <sdlime at gmail.com> wrote:
> I'm +1 on cleaning that up as well. I wouldn't think someone would base
> client behavior on a comment in an error message - too brittle.
>
> On Wed, Jan 25, 2023 at 9:55 AM Nash, Edward <E.Nash at dvz-mv.de> wrote:
>
>> I'd be +1 on sending as little information about the server as possible
>> (aka "secure") by default.
>>
>> Whatever the technical merits, this one always comes up on security
>> checklists, and anything that makes it harder to forget to set everything
>> up correctly is fine by me - assuming the documentation of how to get the
>> version details for debugging is clear and easy to find (as an FAQ, or
>> maybe in a new "Troubleshooting" section in the docs?).
>>
>> Best regards,
>>
>> Ed
>>
>> -----Ursprüngliche Nachricht-----
>> Von: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> Im Auftrag
>> von Seth G
>> Gesendet: Mittwoch, 25. Januar 2023 16:13
>> An: MapServer Devs <mapserver-dev at lists.osgeo.org>
>> Betreff: [MapServer-dev] MapServer version information in error messages
>>
>> Hi all,
>>
>> Does anyone have any thoughts about removing MapServer version
>> information from any errors/responses sent to client applications?
>>
>> A few relevant online discussions [1] [2]. As MapServer falls more in the
>> generic server category I'd be +1 on removing the details from responses
>> (and leaving them in the client applications).
>>
>> See https://github.com/MapServer/MapServer/pull/6794 for some more
>> details. I added in Proj and GDAL versions which are handy for
>> admins/debugging, but provide more information to a malevolent party
>> looking to attack a MapServer instance.
>>
>> Seth
>>
>> [1]
>> https://softwareengineering.stackexchange.com/questions/345072/is-my-app-version-a-sensitive-information
>> [2]
>> https://security.stackexchange.com/questions/170352/is-it-safe-to-display-version-information-on-a-public-webpage-of-your-web-app
>>
>> --
>> web:https://geographika.net
>> twitter: @geographika
>> _______________________________________________
>> MapServer-dev mailing list
>> MapServer-dev at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>> _______________________________________________
>> MapServer-dev mailing list
>> MapServer-dev at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20230126/851c4e19/attachment.htm>
More information about the MapServer-dev
mailing list