[mapserver-dev] Security risk with WMS exceptions?
jmckenna at gatewaygeomatics.com
Thu May 22 06:14:50 PDT 2014
Actually another user messaged me privately recently mentioning the same
thing, and I said the same thing you did, to please file a ticket this
could be a very useful addition...
On 2014-05-21, 10:22 AM, Daniel Morissette wrote:
> There are several instances of very detailed error messages like this
> one in the postgis driver. Those details are useful for debugging, but
> you are right that it is a bit much to expose to the end user. Perhaps
> they could be converted to a more generic error message via
> msSetError(), and the details moved to a msDebug() call when
> layer->debug is set.
> Maybe a ticket could be filed about this for when someone has time?
> On 14-05-21 8:13 AM, Rahkonen Jukka (Tike) wrote:
>> Right now the Mapserver demo server has troubles with connecting to
>> PostgreSQL and GetMaps like
>> leads to this error message:
>> <?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?>
>> <!DOCTYPE ServiceExceptionReport SYSTEM
>> <ServiceExceptionReport version="1.1.1">
>> msDrawMap(): Image handling error. Failed to draw layer named
>> msPostGISLayerOpen(): Query error. Database connection failed (FATAL:
>> database "osm" does not exist
>> ) with connect string 'host=localhost dbname=osm user=www-data
>> password=******** port=5432'
>> Is the database running? Is it allowing connections? Does the
>> specified user exist? Is the password valid? Is the database on the
>> standard port?
>> Well, the message does not reveal the password and it gives useful
>> information for the Mapserver admin. But does it make sense to send
>> this information to WMS users?
>> -Jukka Rahkonen-
More information about the mapserver-dev