[mapserver-dev] Dropping Version Output?

Wed Feb 16 01:20:30 PST 2022

Hi,

back in the day when we always compiled Mapserver ourselves then we always removed the signature line output – for the reasons Jukka says. I believe the current difference as to whether the string is output depends on whether the Capabilities are generated by slamming strings together (where it is included) or via libxml (where it is not).

As a user, I’d be in favour of removing the output, or at least having it configurable (preferably as an opt-in). It’s basically debugging output being forced into a productive system.

Regards,

Ed

Von: MapServer-dev [mailto:mapserver-dev-bounces at lists.osgeo.org] Im Auftrag von Rahkonen Jukka (MML)
Gesendet: Mittwoch, 16. Februar 2022 09:58
An: Steve Lime <sdlime at gmail.com>; MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>
Betreff: Re: [mapserver-dev] Dropping Version Output?

Hi,

Do you mean the comment line in the WMS and WFS 1.0.0 GetCapabilities that is not included in WFS 1.1.0, 2.0.0, and WCS.xxx as can be easily tested at https://demo.mapserver.org/?

I think that the message is useful when trying to help someone else who has problems and who cannot run mapserv -v on the server. But advertising the Mapserver version is also considered as a security threat and at least we at NLS rip it off from our production services in our web facade. I guess that people with some knowledge can still find enough fingerprints about the make of the server with a bunch of considered requests but finding the exact version it is not so easy.

I would say that at least there should be an easy way to remove the version info. It would be also nice if all services behaved in the same way, just tried to help some user with Mapserver WFS 1.1.0 but that server did not publish WMS nor WFS 1.0.0 so I could not find the version.

Lähettäjä: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org<mailto:mapserver-dev-bounces at lists.osgeo.org>> Puolesta Steve Lime
Lähetetty: keskiviikko 16. helmikuuta 2022 3.49
Vastaanottaja: MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org<mailto:mapserver-dev at lists.osgeo.org>>
Aihe: [mapserver-dev] Dropping Version Output?

What do folks think about dropping the version output from MapServer? That is, output like:

<!-- MapServer version 7.6.4 OUTPUT=PNG OUTPUT=JPEG SUPPORTS=PROJ SUPPORTS=AGG SUPPORTS=FREETYPE SUPPORTS=CAIRO SUPPORTS=ICONV SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT SUPPORTS=WFS_SERVER SUPPORTS=WCS_SERVER SUPPORTS=GEOS SUPPORTS=POINT_Z_M SUPPORTS=PBF INPUT=JPEG INPUT=POSTGIS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILE -->

I'm not sure that advertising version and supported components makes sense anymore. Might be able to make it tunable via the config file but I'm not sure that's even necessary.

--Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20220216/8318d896/attachment.html>