[mapserver-dev] Dropping Version Output?

Steve Lime sdlime at gmail.com
Tue Feb 22 10:06:36 PST 2022 

FWIW I added an option to suppress the version from server output, see:

  https://github.com/MapServer/MapServer/pull/6480

--Steve

On Fri, Feb 18, 2022 at 8:43 AM Steve Lime <sdlime at gmail.com> wrote:

> So it turns out that suppressing the version string itself is trivial - a
> one-liner. However, that string is almost always enclosed in a construct of
> some sort - like an XML or HTML comment. I think those would need to be
> suppressed too by just checking to see if the version string is empty.
> Would folks agree? There aren't that many occurrences impacted, I count
> eight of them. --Steve
>
> On Wed, Feb 16, 2022 at 9:21 AM Steve Lime <sdlime at gmail.com> wrote:
>
>> I should never send an email and then go to bed... great discussion!
>> Anyway, I was thinking about this in terms of version obfuscation for
>> security purposes. I mean why advertise that specific information if you
>> don't have to - at least make it a little challenging (and check a box).
>> Obfuscating you're using mapserver altogether would be much more difficult,
>> if not impossible. I could see doing things like supporting customizable
>> error templates, suppressing function names in error messages, etc...
>> Certainly not fool proof of course.
>>
>> I think the configuration file can really provide value here...
>>
>> --Steve
>>
>> On Wed, Feb 16, 2022 at 7:18 AM Michael Smith <
>> michael.smith.erdc at gmail.com> wrote:
>>
>>> Agree with you that’s it’s a standard checklist item (in DoD for STIGs).
>>> But fundamentally useless. The security auditors agree but yeah, checklist
>>> folks are generally not persuadable. I can see a config option.
>>>
>>>
>>>
>>> Mike
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Michael Smith
>>>
>>> US Army Corps of Engineers
>>>
>>> Remote Sensing/GIS Center
>>>
>>>
>>>
>>>
>>>
>>> *From: *MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> on behalf
>>> of "Nash, Edward" <E.Nash at dvz-mv.de>
>>> *Date: *Wednesday, February 16, 2022 at 7:15 AM
>>> *To: *MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>
>>> *Subject: *Re: [mapserver-dev] Dropping Version Output?
>>>
>>>
>>>
>>> It may or may not be pure security theatre (personally, I’d tend to
>>> agree with you on that), but ‘round these parts then not publishing the
>>> versions of external software components used is pretty high up on standard
>>> checklists for securing systems (and is low-hanging fruit for anyone to
>>> check, so shows up pretty quickly), so being able to configure it out would
>>> save plenty of hassle.
>>>
>>>
>>>
>>> Ed
>>>
>>>
>>>
>>> *Von:* MapServer-dev [mailto:mapserver-dev-bounces at lists.osgeo.org] *Im
>>> Auftrag von *michael.smith.erdc at gmail.com
>>> *Gesendet:* Mittwoch, 16. Februar 2022 12:37
>>> *An:* Tom Kralidis <tomkralidis at gmail.com>
>>> *Cc:* MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>
>>> *Betreff:* Re: [mapserver-dev] Dropping Version Output?
>>>
>>>
>>>
>>> Also, I’d say that any perceived extra security by not having this info
>>> in the response is not really security, just security theatre.
>>>
>>>
>>>
>>> Keep it in.
>>>
>>> Michael Smith
>>>
>>> US Army Corps
>>>
>>>
>>>
>>> On Feb 16, 2022, at 6:34 AM, Tom Kralidis <tomkralidis at gmail.com> wrote:
>>>
>>> 
>>>
>>> I would suggest keeping at least the version somewhere in the responses
>>> (i.e. current behaviour, or
>>>
>>> move to an HTTP header).  For scenarios where users do not have access
>>> to the deployment environment,
>>>
>>> this information is critical.
>>>
>>>
>>>
>>> ..Tom
>>>
>>>
>>>
>>> On Tue, Feb 15, 2022 at 8:49 PM Steve Lime <sdlime at gmail.com> wrote:
>>>
>>> What do folks think about dropping the version output from MapServer? That
>>> is, output like:
>>>
>>>
>>>
>>> <!-- MapServer version 7.6.4 OUTPUT=PNG OUTPUT=JPEG SUPPORTS=PROJ
>>> SUPPORTS=AGG SUPPORTS=FREETYPE SUPPORTS=CAIRO SUPPORTS=ICONV
>>> SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT SUPPORTS=WFS_SERVER
>>> SUPPORTS=WCS_SERVER SUPPORTS=GEOS SUPPORTS=POINT_Z_M SUPPORTS=PBF
>>> INPUT=JPEG INPUT=POSTGIS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILE -->
>>>
>>> I'm not sure that advertising version and supported components makes
>>> sense anymore. Might be able to make it tunable via the config file but I'm
>>> not sure that's even necessary.
>>>
>>>
>>>
>>> --Steve
>>>
>>> _______________________________________________
>>> MapServer-dev mailing list
>>> MapServer-dev at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>>
>>> _______________________________________________
>>> MapServer-dev mailing list
>>> MapServer-dev at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>>
>>> _______________________________________________ MapServer-dev mailing
>>> list MapServer-dev at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>> _______________________________________________
>>> MapServer-dev mailing list
>>> MapServer-dev at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20220222/4bfb132b/attachment-0001.html>

More information about the MapServer-dev mailing list