[mapserver-dev] Security risk with WMS exceptions?

Daniel Morissette dmorissette at mapgears.com
Wed May 21 06:22:51 PDT 2014

There are several instances of very detailed error messages like this 
one in the postgis driver. Those details are useful for debugging, but 
you are right that it is a bit much to expose to the end user. Perhaps 
they could be converted to a more generic error message via 
msSetError(), and the details moved to a msDebug() call when 
layer->debug is set.

Maybe a ticket could be filed about this for when someone has time?


On 14-05-21 8:13 AM, Rahkonen Jukka (Tike) wrote:
> Hi,
> Right now the Mapserver demo server has troubles with connecting to PostgreSQL and GetMaps like
> http://demo.mapserver.org/cgi-bin/foss4g?&SERVICE=WMS&VERSION=1.1.1%20&REQUEST=GetMap&LAYERS=OSM_Denver&STYLES=&SRS=EPSG:4326&BBOX=-105.208290,39.542378,-104.769779,39.980889&WIDTH=100&HEIGHT=100&FORMAT=image/png
> leads to this error message:
> <?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?>
> <!DOCTYPE ServiceExceptionReport SYSTEM "http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd">
> <ServiceExceptionReport version="1.1.1">
> <ServiceException>
> msDrawMap(): Image handling error. Failed to draw layer named 'landuse_layer4'.
> msPostGISLayerOpen(): Query error. Database connection failed (FATAL:  database "osm" does not exist
> ) with connect string 'host=localhost dbname=osm user=www-data password=******** port=5432'
> Is the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?
> </ServiceException>
> </ServiceExceptionReport>
> Well, the message does not reveal the password and it gives useful information for the Mapserver admin. But does it make sense to send this information to WMS users?
> -Jukka Rahkonen-
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev

Daniel Morissette
T: +1 418-696-5056 #201
Provider of Professional MapServer Support since 2000

More information about the mapserver-dev mailing list