OGR security issue
Frank Warmerdam
fwarmerdam at GMAIL.COM
Thu Feb 24 23:24:28 EST 2005
On Fri, 25 Feb 2005 13:44:37 +1100, Tim Mackey <Timothy.Mackey at ga.gov.au> wrote:
>
> Hi,
>
> We were unsuccessfully trying to publish a new mapserver application using
> OCI connections via GDAL. We eventually got it to go, but during our
> testing, the following error message was visible in a web browser:
>
> msDrawMap(): Image handling error. Failed to draw layer named 'xxxxxxxx'.
> msOGRFileOpen(): OGR error. Open failed for OGR connection
> `OCI:USER/PASSWORD at DATABASE'. File not found or unsupported format.
>
> The fact that the Oracle password is displayed in the error message sent to
> the browser is clearly a security risk. I therefore modified the code in
> mapogr.cpp, so that the password was replaced in the error message be a
> series of '*' characters.
>
> It has worked for me. Would a kindly developer put this code into CVS for
> the next release?
Tim,
I certainly see your point, but I am concerned that it will be
difficult to do a good job of masking passwords. Your code
might do it properly for OCI passwords, but it doesn't necessarily
address other RDBMS connections with passwords in somewhat
different formats. It could also easily end up masking out chunks of
the filename where the @ does not relate to a password at all.
BTW, do the other connection based drivers (ie ORACLESPATIAL,
PostGIS, etc) provide some sort of masking mechanism for
passwords?
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Programmer for Rent
More information about the mapserver-users
mailing list