Bug 974

Summary: Security: The JSAPI widget generates javascript that includes connection parameters
Product: Chameleon Reporter: Corey Puffalt <cplists@gmail.com>
Component: WidgetAssignee: Bart van den Eijnden <bartvde@osgis.nl>
Status: RESOLVED FIXED    
Severity: critical    
Priority: P2    
Version: 2.0   
Target Milestone: 2.4   
Hardware: PC   
OS: Linux   
Whiteboard:

Description From 2005-02-22 12:53:36 
I noticed that the javascript generated by the JSAPI widget includes all the
layer information from my map file including connection parameters for Postgis
layers which includes the user name and password!

According to Paul Spencer this can be fixed by editing:

chameleon/htdocs/widgets/cwcjsapi/cwcjsapi.widget.php

and removing line 208 which reads:

$szLayerInfo .="aLayerconnection[".$i."] = '" .  $poLayer->connection .
"';\n";
------- Comment #1 From 2006-03-02 09:16:18 ------- 
Reassigning this one to myself, this should really be fixed before the 2.4
release.
------- Comment #2 From 2006-04-07 03:51:48 ------- 
Fixed this one in 2.4 branch and CVS head.