Jochen Topf wrote:
On Fri, Jan 16, 2009 at 09:02:21AM -0500, Frank Warmerdam wrote:
Jochen Topf wrote:
When using Mapserver with a database and there is an error connecting to
the database the error message sent to the client contains the database
connect string including the password! Thats never a good idea. Can this
be changed somehow?
Jochen,
I would suggest you review:
http://mapserver.org/development/rfc/ms-rfc-18.html
That seems like a rather complex solution and it falls short in several
aspects:
* Security should be the default, not some add-on
* It only protects passwords not the rest of the information.
Generally services should not leak any internal information to the outside
world. Passwords are only the worst case here. But anything like host
names, file names, database names, URLs auf cascaded WMSes etc. should
not ever get outside!
If there is an error this information should go into a log file. You can
output a time stamp or some kind of id in the error message so that you
can find the corresponding log messages. For servers only used
internally where you don't mind the information leak or for debugging of
a new setup there could be an option to output error messages to the
client. But thats would only be an option which is off by default.
See http://www.owasp.org/index.php/Top_10_2007-A6 for more on this.
Jochen,
Well, luckily we are an open community. Perhaps you would like to prepare
an RFC on a comprehensive solution and once approved begin work on an
implementation. Be aware we are somewhat itchy about backward compatibility
on this project.
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmer...@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Programmer for Rent
_______________________________________________
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
