Hi,
We are using GeoServer WFS to serve Vector Data that are stored in Oracle
Database in backend.
The WFS request directly returned errors that produced by Oracl DB to final
users.
For example, when we submitted below WFS request to any GeoServer instance:
http://geoserver.domain.name/GeoServer/wfs?service=WFS&version=1.0.0&request=GetFeature&outputFormat=json&srsName=EPSG:4326&typeName=YOUR_LAYERNAME&cql_filter=1='string
'
The GeoServer returned below errors to final users if backend database is
Oracle (I did not have a chance to test PostGIS as backend database):
java.lang.RuntimeException: java.io.IOException java.io.IOException null
ORA-01722: invalid number
This error directly discloses backend database information to final users.
Our security guys think that this is a secure vulnerability and we need fix
it.
Considering that this error is directly returned by GeoServer.
I am seeking any comments/suggestion/advises from users and developers from
GeoServer community to see if there is any way that we can fix this issue.
Any responses are highly appreciated!
Anderson Chen,
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
