[mapserver-dev] Security risk with WMS exceptions?
Jeff McKenna
jmckenna at gatewaygeomatics.com
Thu May 22 06:14:50 PDT 2014
Hi Daniel,
Actually another user messaged me privately recently mentioning the same
thing, and I said the same thing you did, to please file a ticket this
could be a very useful addition...
-jeff
On 2014-05-21, 10:22 AM, Daniel Morissette wrote:
> There are several instances of very detailed error messages like this
> one in the postgis driver. Those details are useful for debugging, but
> you are right that it is a bit much to expose to the end user. Perhaps
> they could be converted to a more generic error message via
> msSetError(), and the details moved to a msDebug() call when
> layer->debug is set.
>
> Maybe a ticket could be filed about this for when someone has time?
>
> Daniel
>
>
> On 14-05-21 8:13 AM, Rahkonen Jukka (Tike) wrote:
>>
>> Hi,
>>
>> Right now the Mapserver demo server has troubles with connecting to
>> PostgreSQL and GetMaps like
>>
>> http://demo.mapserver.org/cgi-bin/foss4g?&SERVICE=WMS&VERSION=1.1.1%20&REQUEST=GetMap&LAYERS=OSM_Denver&STYLES=&SRS=EPSG:4326&BBOX=-105.208290,39.542378,-104.769779,39.980889&WIDTH=100&HEIGHT=100&FORMAT=image/png
>>
>> leads to this error message:
>>
>> <?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?>
>> <!DOCTYPE ServiceExceptionReport SYSTEM
>> "http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd">
>> <ServiceExceptionReport version="1.1.1">
>> <ServiceException>
>> msDrawMap(): Image handling error. Failed to draw layer named
>> 'landuse_layer4'.
>> msPostGISLayerOpen(): Query error. Database connection failed (FATAL:
>> database "osm" does not exist
>> ) with connect string 'host=localhost dbname=osm user=www-data
>> password=******** port=5432'
>> Is the database running? Is it allowing connections? Does the
>> specified user exist? Is the password valid? Is the database on the
>> standard port?
>> </ServiceException>
>> </ServiceExceptionReport>
>>
>> Well, the message does not reveal the password and it gives useful
>> information for the Mapserver admin. But does it make sense to send
>> this information to WMS users?
>>
>> -Jukka Rahkonen-
>>
More information about the mapserver-dev
mailing list