Hi all, Please see https://github.com/MapServer/MapServer/pull/6808. There are lots of changes to expected msautotest results due to missing blank lines after the version number that weren't stripped, but the actual code changes are minimal.
Seth -- web:https://geographika.net twitter: @geographika On Wed, Jan 25, 2023, at 5:00 PM, Steve Lime wrote: > I'm +1 on cleaning that up as well. I wouldn't think someone would base > client behavior on a comment in an error message - too brittle. > > On Wed, Jan 25, 2023 at 9:55 AM Nash, Edward <[email protected]> wrote: >> I'd be +1 on sending as little information about the server as possible (aka >> "secure") by default. >> >> Whatever the technical merits, this one always comes up on security >> checklists, and anything that makes it harder to forget to set everything up >> correctly is fine by me - assuming the documentation of how to get the >> version details for debugging is clear and easy to find (as an FAQ, or maybe >> in a new "Troubleshooting" section in the docs?). >> >> Best regards, >> >> Ed >> >> -----Ursprüngliche Nachricht----- >> Von: MapServer-dev <[email protected]> Im Auftrag von >> Seth G >> Gesendet: Mittwoch, 25. Januar 2023 16:13 >> An: MapServer Devs <[email protected]> >> Betreff: [MapServer-dev] MapServer version information in error messages >> >> Hi all, >> >> Does anyone have any thoughts about removing MapServer version information >> from any errors/responses sent to client applications? >> >> A few relevant online discussions [1] [2]. As MapServer falls more in the >> generic server category I'd be +1 on removing the details from responses >> (and leaving them in the client applications). >> >> See https://github.com/MapServer/MapServer/pull/6794 for some more details. >> I added in Proj and GDAL versions which are handy for admins/debugging, but >> provide more information to a malevolent party looking to attack a MapServer >> instance. >> >> Seth >> >> [1] >> https://softwareengineering.stackexchange.com/questions/345072/is-my-app-version-a-sensitive-information >> [2] >> https://security.stackexchange.com/questions/170352/is-it-safe-to-display-version-information-on-a-public-webpage-of-your-web-app >> >> -- >> web:https://geographika.net >> twitter: @geographika >> _______________________________________________ >> MapServer-dev mailing list >> [email protected] >> https://lists.osgeo.org/mailman/listinfo/mapserver-dev >> _______________________________________________ >> MapServer-dev mailing list >> [email protected] >> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
_______________________________________________ MapServer-dev mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-dev
