[mapserver-dev] Security risk with WMS exceptions?
Rahkonen Jukka (Tike)
jukka.rahkonen at mmmtike.fi
Thu May 22 06:18:40 PDT 2014
Hi,
Already filed in https://github.com/mapserver/mapserver/issues/4928
-Jukka-
Jeff McKenna wrote:
>
> Hi Daniel,
>
> Actually another user messaged me privately recently mentioning the same
> thing, and I said the same thing you did, to please file a ticket this could be a
> very useful addition...
>
> -jeff
>
>
>
> On 2014-05-21, 10:22 AM, Daniel Morissette wrote:
> > There are several instances of very detailed error messages like this
> > one in the postgis driver. Those details are useful for debugging, but
> > you are right that it is a bit much to expose to the end user. Perhaps
> > they could be converted to a more generic error message via
> > msSetError(), and the details moved to a msDebug() call when
> > layer->debug is set.
> >
> > Maybe a ticket could be filed about this for when someone has time?
> >
> > Daniel
> >
> >
> > On 14-05-21 8:13 AM, Rahkonen Jukka (Tike) wrote:
> >>
> >> Hi,
> >>
> >> Right now the Mapserver demo server has troubles with connecting to
> >> PostgreSQL and GetMaps like
> >>
> >> http://demo.mapserver.org/cgi-
> bin/foss4g?&SERVICE=WMS&VERSION=1.1.1%2
> >>
> 0&REQUEST=GetMap&LAYERS=OSM_Denver&STYLES=&SRS=EPSG:4326&BBOX=
> -105.20
> >> 8290,39.542378,-
> 104.769779,39.980889&WIDTH=100&HEIGHT=100&FORMAT=imag
> >> e/png
> >>
> >> leads to this error message:
> >>
> >> <?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?>
> >> <!DOCTYPE ServiceExceptionReport SYSTEM
> >> "http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd">
> >> <ServiceExceptionReport version="1.1.1"> <ServiceException>
> >> msDrawMap(): Image handling error. Failed to draw layer named
> >> 'landuse_layer4'.
> >> msPostGISLayerOpen(): Query error. Database connection failed (FATAL:
> >> database "osm" does not exist
> >> ) with connect string 'host=localhost dbname=osm user=www-data
> >> password=******** port=5432'
> >> Is the database running? Is it allowing connections? Does the
> >> specified user exist? Is the password valid? Is the database on the
> >> standard port?
> >> </ServiceException>
> >> </ServiceExceptionReport>
> >>
> >> Well, the message does not reveal the password and it gives useful
> >> information for the Mapserver admin. But does it make sense to send
> >> this information to WMS users?
> >>
> >> -Jukka Rahkonen-
> >>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
More information about the mapserver-dev
mailing list