[mapserver-users] Error messages contain private info
Frank Warmerdam
warmerdam at pobox.com
Mon Jan 19 11:52:06 EST 2009
Jochen Topf wrote:
> On Fri, Jan 16, 2009 at 09:02:21AM -0500, Frank Warmerdam wrote:
>> Jochen Topf wrote:
>>> When using Mapserver with a database and there is an error connecting to
>>> the database the error message sent to the client contains the database
>>> connect string including the password! Thats never a good idea. Can this
>>> be changed somehow?
>> Jochen,
>>
>> I would suggest you review:
>>
>> http://mapserver.org/development/rfc/ms-rfc-18.html
>
> That seems like a rather complex solution and it falls short in several
> aspects:
> * Security should be the default, not some add-on
> * It only protects passwords not the rest of the information.
>
> Generally services should not leak any internal information to the outside
> world. Passwords are only the worst case here. But anything like host
> names, file names, database names, URLs auf cascaded WMSes etc. should
> not ever get outside!
>
> If there is an error this information should go into a log file. You can
> output a time stamp or some kind of id in the error message so that you
> can find the corresponding log messages. For servers only used
> internally where you don't mind the information leak or for debugging of
> a new setup there could be an option to output error messages to the
> client. But thats would only be an option which is off by default.
>
> See http://www.owasp.org/index.php/Top_10_2007-A6 for more on this.
Jochen,
Well, luckily we are an open community. Perhaps you would like to prepare
an RFC on a comprehensive solution and once approved begin work on an
implementation. Be aware we are somewhat itchy about backward compatibility
on this project.
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Programmer for Rent
More information about the mapserver-users
mailing list