<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6603.0">
<TITLE>OGR security issue</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">Hi,</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">We were unsuccessfully trying to publish a new mapserver application using OCI connections via GDAL. We eventually got it to go, but during our testing, the following error message was visible in a web browser:</FONT></P>
<P><FONT SIZE=2 FACE="Arial">msDrawMap(): Image handling error. Failed to draw layer named 'xxxxxxxx'.<BR>
msOGRFileOpen(): OGR error. Open failed for OGR connection `OCI:USER/PASSWORD@DATABASE'. File not found or unsupported format.</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">The fact that the Oracle password is displayed in the error message sent to the browser is clearly a security risk. I therefore modified the code in mapogr.cpp, so that the password was replaced in the error message be a series of '*' characters. </FONT></P>
<P><FONT SIZE=2 FACE="Arial">It has worked for me. Would a kindly developer put this code into CVS for the next release?</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Around line 850 in version 4.2.0 of mapogr.cpp:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial"> char maskpasswd[MS_MAXPATHLEN];</FONT>
<BR><FONT SIZE=2 FACE="Arial"> int i,passwd=0;</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial"> strcpy(maskpasswd,pszDSName);</FONT>
<BR><FONT SIZE=2 FACE="Arial"> for(i=0;i<strlen(maskpasswd);i++)</FONT>
<BR><FONT SIZE=2 FACE="Arial"> {</FONT>
<BR><FONT SIZE=2 FACE="Arial"> if(passwd)</FONT>
<BR><FONT SIZE=2 FACE="Arial"> {</FONT>
<BR><FONT SIZE=2 FACE="Arial"> if(maskpasswd[i]=='@')</FONT>
<BR><FONT SIZE=2 FACE="Arial"> break;</FONT>
<BR><FONT SIZE=2 FACE="Arial"> else</FONT>
<BR><FONT SIZE=2 FACE="Arial"> maskpasswd[i]='*';</FONT>
<BR><FONT SIZE=2 FACE="Arial"> }</FONT>
<BR><FONT SIZE=2 FACE="Arial"> if(maskpasswd[i]=='/')</FONT>
<BR><FONT SIZE=2 FACE="Arial"> passwd=1;</FONT>
<BR><FONT SIZE=2 FACE="Arial"> }</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial"> msSetError(MS_OGRERR,</FONT>
<BR><FONT SIZE=2 FACE="Arial"> (char*)CPLSPrintf("Open failed for OGR connection `%s'. "</FONT>
<BR><FONT SIZE=2 FACE="Arial"> "File not found or unsupported format.",</FONT>
<BR><FONT SIZE=2 FACE="Arial"> maskpasswd),</FONT>
<BR><FONT SIZE=2 FACE="Arial"> "msOGRFileOpen()");</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Arial">Many thanks,</FONT>
</P>
<P><B><FONT SIZE=2 FACE="Arial">Tim Mackey</FONT></B>
<BR><FONT SIZE=2 FACE="Arial">Web Systems Manager</FONT>
<BR><FONT SIZE=2 FACE="Arial">Geoscience Australia</FONT>
<BR><FONT SIZE=2 FACE="Arial">02 6249 9813</FONT>
<BR><A HREF="mailto:timothy.mackey@ga.gov.au"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">timothy.mackey@ga.gov.au</FONT></U></A>
<BR><A HREF="http://www.ga.gov.au/"><U></U><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">http://www.ga.gov.au/</FONT></U></A>
<BR><FONT SIZE=2 FACE="Arial"> </FONT>
</P>
</BODY>
</HTML>