OGR security issue

Tim Mackey Timothy.Mackey at GA.GOV.AU
Fri Feb 25 01:06:25 EST 2005 

Frank,

Yes, my patch probably only works for some connections (eg OCI).
I haven't tested it against any other GDAL connection methods.

My main point is that the password needs to be masked in some way, and my
patch worked for me and at least works for the OCI connections.

Perhaps there is a more generic solution (like displaying the line in the
mapfile (or the layer name) the connection string is related to, rather than
the connection string itself)?

Regards,

Tim Mackey


-----Original Message-----
From: Frank Warmerdam [mailto:fwarmerdam at gmail.com] 
Sent: Friday, 25 February 2005 3:24 PM
To: Mackey Timothy
Cc: MAPSERVER-USERS at lists.umn.edu
Subject: Re: [UMN_MAPSERVER-USERS] OGR security issue


On Fri, 25 Feb 2005 13:44:37 +1100, Tim Mackey <Timothy.Mackey at ga.gov.au>
wrote:
> 
> Hi, 
> 
> We were unsuccessfully trying to publish a new mapserver application using
> OCI connections via GDAL. We eventually got it to go, but during our
> testing, the following error message was visible in a web browser: 
> 
> msDrawMap(): Image handling error. Failed to draw layer named 'xxxxxxxx'.
>  msOGRFileOpen(): OGR error. Open failed for OGR connection
> `OCI:USER/PASSWORD at DATABASE'. File not found or unsupported format. 
> 
> The fact that the Oracle password is displayed in the error message sent to
> the browser is clearly a security risk. I therefore modified the code in
> mapogr.cpp, so that the password was replaced in the error message be a
> series of '*' characters. 
> 
> It has worked for me. Would a kindly developer put this code into CVS for
> the next release? 

Tim,

I certainly see your point, but I am concerned that it will be
difficult to do a good job of masking passwords.  Your code
might do it properly for OCI passwords, but it doesn't necessarily
address other RDBMS connections with passwords in somewhat
different formats.  It could also easily end up masking out chunks of 
the filename where the @ does not relate to a password at all. 

BTW, do the other connection based drivers (ie ORACLESPATIAL,
PostGIS, etc) provide some sort of masking mechanism for 
passwords? 

Best regards,
-- 
---------------------------------------+-------------------------------------
-
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | Geospatial Programmer for Rent

More information about the mapserver-users mailing list