OGR security issue

[Tim Mackey]

Hi,

We were unsuccessfully trying to publish a new mapserver application using
OCI connections via GDAL. We eventually got it to go, but during our testing,
the following error message was visible in a web browser:
msDrawMap(): Image handling error. Failed to draw layer named 'xxxxxxxx'. 
msOGRFileOpen(): OGR error. Open failed for OGR connection
`OCI:USER/PASSWORD at DATABASE'. File not found or unsupported format. 

The fact that the Oracle password is displayed in the error message sent to
the browser is clearly a security risk. I therefore modified the code in
mapogr.cpp, so that the password was replaced in the error message be a
series of '*' characters. 

It has worked for me. Would a kindly developer put this code into CVS for the
next release?

Around line 850 in version 4.2.0 of mapogr.cpp:

      char maskpasswd[MS_MAXPATHLEN];
      int i,passwd=0;

      strcpy(maskpasswd,pszDSName);
      for(i=0;i<strlen(maskpasswd);i++)
      {
        if(passwd)
          {
          if(maskpasswd[i]=='@')
            break;
          else
            maskpasswd[i]='*';
          }
        if(maskpasswd[i]=='/')
          passwd=1;
      }

      msSetError(MS_OGRERR,
                 (char*)CPLSPrintf("Open failed for OGR connection `%s'.  "
                                   "File not found or unsupported format.",
                                   maskpasswd),
                 "msOGRFileOpen()");


Many thanks,

Tim Mackey
Web Systems Manager
Geoscience Australia
02 6249 9813
timothy.mackey at ga.gov.au
http://www.ga.gov.au/
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20050225/107f7a41/attachment.htm>