[Chameleon-dev] [Bug 974] New: Security: The JSAPI widget generates
javascript that includes connection parameters
bugzilla-daemon at maptools.org
bugzilla-daemon at maptools.org
Tue Feb 22 12:53:38 EST 2005
http://www.maptools.org/bugzilla/show_bug.cgi?id=974
Summary: Security: The JSAPI widget generates javascript that
includes connection parameters
Product: Chameleon
Version: 2.0
Platform: PC
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Widget
AssignedTo: chameleon-dev at lists.maptools.org
ReportedBy: cplists at gmail.com
I noticed that the javascript generated by the JSAPI widget includes all the
layer information from my map file including connection parameters for Postgis
layers which includes the user name and password!
According to Paul Spencer this can be fixed by editing:
chameleon/htdocs/widgets/cwcjsapi/cwcjsapi.widget.php
and removing line 208 which reads:
$szLayerInfo .="aLayerconnection[".$i."] = '" . $poLayer->connection .
"';\n";
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Please do NOT reply to this email, use the link above instead to
login to bugzilla and submit your comment. Any email reply to this
address will be lost.
More information about the Chameleon-dev
mailing list