Bug 974 – Security: The JSAPI widget generates javascript that includes connection parameters

Bug 974 - Security: The JSAPI widget generates javascript that includes connection parameters

Summary:

Security: The JSAPI widget generates javascript that includes connection para...

Status:	RESOLVED FIXED

Product:	Chameleon
Component:	Widget
Version:	2.0
Platform:	PC Linux

Importance:	P2 critical
Target Milestone:	2.4
Assigned To:	Bart van den Eijnden

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-02-22 12:53 by Corey Puffalt
Modified:	2006-04-07 03:51 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Corey Puffalt 2005-02-22 12:53:36

I noticed that the javascript generated by the JSAPI widget includes all the
layer information from my map file including connection parameters for Postgis
layers which includes the user name and password!

According to Paul Spencer this can be fixed by editing:

chameleon/htdocs/widgets/cwcjsapi/cwcjsapi.widget.php

and removing line 208 which reads:

$szLayerInfo .="aLayerconnection[".$i."] = '" .  $poLayer->connection .
"';\n";

------- Comment #1 From Bart van den Eijnden 2006-03-02 09:16:18 -------

Reassigning this one to myself, this should really be fixed before the 2.4
release.

------- Comment #2 From Bart van den Eijnden 2006-04-07 03:51:48 -------

Fixed this one in 2.4 branch and CVS head.