<div dir="ltr">FWIW I added an option to suppress the version from server output, see:<div><br></div><div> <a href="https://github.com/MapServer/MapServer/pull/6480">https://github.com/MapServer/MapServer/pull/6480</a></div><div><br></div><div>--Steve</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 18, 2022 at 8:43 AM Steve Lime <<a href="mailto:sdlime@gmail.com">sdlime@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">So it turns out that suppressing the version string itself is trivial - a one-liner. However, that string is almost always enclosed in a construct of some sort - like an XML or HTML comment. I think those would need to be suppressed too by just checking to see if the version string is empty. Would folks agree? There aren't that many occurrences impacted, I count eight of them. --Steve</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 16, 2022 at 9:21 AM Steve Lime <<a href="mailto:sdlime@gmail.com" target="_blank">sdlime@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I should never send an email and then go to bed... great discussion! Anyway, I was thinking about this in terms of version obfuscation for security purposes. I mean why advertise that specific information if you don't have to - at least make it a little challenging (and check a box). Obfuscating you're using mapserver altogether would be much more difficult, if not impossible. I could see doing things like supporting customizable error templates, suppressing function names in error messages, etc... Certainly not fool proof of course.<div><br></div><div>I think the configuration file can really provide value here...</div><div><br></div><div>--Steve</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 16, 2022 at 7:18 AM Michael Smith <<a href="mailto:michael.smith.erdc@gmail.com" target="_blank">michael.smith.erdc@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif">Agree with you that’s it’s a standard checklist item (in DoD for STIGs). But fundamentally useless. The security auditors agree but yeah, checklist folks are generally not persuadable. I can see a config option. <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif">Mike<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif">-- <u></u><u></u></span></p><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif">Michael Smith<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif">US Army Corps of Engineers<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif">Remote Sensing/GIS Center</span><span style="font-size:11pt;font-family:Calibri,sans-serif"><u></u><u></u></span></p></div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></span></p><div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in"><p class="MsoNormal"><b><span lang="DE" style="font-family:Calibri,sans-serif;color:black">From: </span></b><span lang="DE" style="font-family:Calibri,sans-serif;color:black">MapServer-dev <<a href="mailto:mapserver-dev-bounces@lists.osgeo.org" target="_blank">mapserver-dev-bounces@lists.osgeo.org</a>> on behalf of "Nash, Edward" <<a href="mailto:E.Nash@dvz-mv.de" target="_blank">E.Nash@dvz-mv.de</a>><br><b>Date: </b>Wednesday, February 16, 2022 at 7:15 AM<br><b>To: </b>MapServer Dev Mailing List <<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a>><br><b>Subject: </b>Re: [mapserver-dev] Dropping Version Output?<u></u><u></u></span></p></div><div><p class="MsoNormal"><span lang="DE" style="font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></span></p></div><p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">It may or may not be pure security theatre (personally, I’d tend to agree with you on that), but ‘round these parts then not publishing the versions of external software components used is pretty high up on standard checklists for securing systems (and is low-hanging fruit for anyone to check, so shows up pretty quickly), so being able to configure it out would save plenty of hassle.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Ed<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><div><div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in"><p class="MsoNormal"><b><span lang="DE" style="font-size:11pt;font-family:Calibri,sans-serif">Von:</span></b><span lang="DE" style="font-size:11pt;font-family:Calibri,sans-serif"> MapServer-dev [mailto:<a href="mailto:mapserver-dev-bounces@lists.osgeo.org" target="_blank">mapserver-dev-bounces@lists.osgeo.org</a>] <b>Im Auftrag von </b><a href="mailto:michael.smith.erdc@gmail.com" target="_blank">michael.smith.erdc@gmail.com</a><br><b>Gesendet:</b> Mittwoch, 16. </span><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif">Februar 2022 12:37<br><b>An:</b> Tom Kralidis <<a href="mailto:tomkralidis@gmail.com" target="_blank">tomkralidis@gmail.com</a>><br><b>Cc:</b> MapServer Dev Mailing List <<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a>><br><b>Betreff:</b> Re: [mapserver-dev] Dropping Version Output?<u></u><u></u></span></p></div></div><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB">Also, I’d say that any perceived extra security by not having this info in the response is not really security, just security theatre. <u></u><u></u></span></p><div><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p></div><div><p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-GB">Keep it in.<u></u><u></u></span></p><div><p class="MsoNormal"><span lang="EN-GB">Michael Smith<u></u><u></u></span></p></div><div><p class="MsoNormal"><span lang="EN-GB">US Army Corps<u></u><u></u></span></p></div><div><p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-GB"><u></u> <u></u></span></p><blockquote style="margin-top:5pt;margin-bottom:5pt"><p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-GB">On Feb 16, 2022, at 6:34 AM, Tom Kralidis <</span><span lang="DE"><a href="mailto:tomkralidis@gmail.com" target="_blank"><span lang="EN-GB">tomkralidis@gmail.com</span></a></span><span lang="EN-GB">> wrote:<u></u><u></u></span></p></blockquote></div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><p class="MsoNormal"><span lang="DE" style="font-family:Calibri,sans-serif"></span><span lang="EN-GB"><u></u><u></u></span></p><div><div><p class="MsoNormal"><span lang="EN-GB">I would suggest keeping at least the version somewhere in the responses (i.e. current behaviour, or<u></u><u></u></span></p></div><div><p class="MsoNormal"><span lang="EN-GB">move to an HTTP header). For scenarios where users do not have access to the deployment environment,<u></u><u></u></span></p></div><div><p class="MsoNormal"><span lang="EN-GB">this information is critical.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span lang="EN-GB">..Tom<u></u><u></u></span></p></div></div><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><div><div><p class="MsoNormal"><span lang="EN-GB">On Tue, Feb 15, 2022 at 8:49 PM Steve Lime <</span><span lang="DE"><a href="mailto:sdlime@gmail.com" target="_blank"><span lang="EN-GB">sdlime@gmail.com</span></a></span><span lang="EN-GB">> wrote:<u></u><u></u></span></p></div><blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin:5pt 0in 5pt 4.8pt"><div><p class="MsoNormal"><span lang="EN-GB">What do folks think about dropping the version output from MapServer? </span><span lang="DE">That is, output like:<u></u><u></u></span></p><div><p class="MsoNormal"><span lang="DE"><u></u> <u></u></span></p></div><div><table border="0" cellpadding="0"><tbody><tr><td style="padding:0.75pt"></td></tr><tr><td style="padding:0.75pt"><p class="MsoNormal"><span lang="EN-GB" style="color:black"><!-- MapServer version 7.6.4 OUTPUT=PNG OUTPUT=JPEG SUPPORTS=PROJ SUPPORTS=AGG SUPPORTS=FREETYPE SUPPORTS=CAIRO SUPPORTS=ICONV SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT SUPPORTS=WFS_SERVER SUPPORTS=WCS_SERVER SUPPORTS=GEOS SUPPORTS=POINT_Z_M SUPPORTS=PBF INPUT=JPEG INPUT=POSTGIS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILE --><u></u><u></u></span></p></td></tr><tr><td style="padding:0.75pt"></td></tr></tbody></table><p class="MsoNormal"><span lang="EN-GB" style="color:white">I'm not sure that advertising version and supported components makes sense anymore. Might be able to make it tunable via the config file but I'm not sure that's even necessary.</span><span lang="EN-GB"><u></u><u></u></span></p></div><div><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span lang="EN-GB">--Steve<u></u><u></u></span></p></div></div><p class="MsoNormal"><span lang="EN-GB">_______________________________________________<br>MapServer-dev mailing list<br></span><span lang="DE"><a href="mailto:MapServer-dev@lists.osgeo.org" target="_blank"><span lang="EN-GB">MapServer-dev@lists.osgeo.org</span></a></span><span lang="EN-GB"><br></span><span lang="DE"><a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank"><span lang="EN-GB">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</span></a></span><span lang="EN-GB"><u></u><u></u></span></p></blockquote></div><p class="MsoNormal"><span lang="EN-GB">_______________________________________________<br>MapServer-dev mailing list<br></span><span lang="DE"><a href="mailto:MapServer-dev@lists.osgeo.org" target="_blank"><span lang="EN-GB">MapServer-dev@lists.osgeo.org</span></a></span><span lang="EN-GB"><br></span><span lang="DE"><a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank"><span lang="EN-GB">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</span></a></span><span lang="EN-GB"><u></u><u></u></span></p></div></blockquote></div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif">_______________________________________________ MapServer-dev mailing list <a href="mailto:MapServer-dev@lists.osgeo.org" target="_blank">MapServer-dev@lists.osgeo.org</a> <a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a> <u></u><u></u></span></p></div></div>
_______________________________________________<br>
MapServer-dev mailing list<br>
<a href="mailto:MapServer-dev@lists.osgeo.org" target="_blank">MapServer-dev@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>