Hi, I'd like to discuss a couple of security issues related to parsing XML files coming from outside, both involve external entities evaluation:
1) XML Bombs (http://en.wikipedia.org/wiki/Billion_laughs) The environment variable entityExpansionLimit can be set on the GeoServer JVM to prevent this kind of attacks but it would be nice to have it enabled by default. Further security measures against DoS attacks can enabled turning on FEATURE_SECURE_PROCESSING on the standard XML parsers. This mode prevents parsing of abnormal files, so the parser will stop processing xml bombs and other xml files 'too big' (but we can't configure how much is 'too big'). 2) Entities loaded from the local server (http://jira.codehaus.org/browse/GEOS-5273) To prevent GeoServer from reading sensitive files on the server, the Java SecurityManager of the server should be configured. But even with a restrictive SecurityManager, GeoServer must still be able to read in its data directory where we have sensitive information. In GeoTools and GeoServer I've seen 4 different parsers, instantiated in many different classes so there's no unique point where we can add a security control. I thought we could create a factory for every parser implementation, containing methods like createParser(Map settings). Factory settings could be used to enable customizations like an entity expansion limit, a custom EntityResolver that read entities only from a limited set of directories and so on. We're in a feature freeze state now but I need to fix those issues in at least 2 points: SLD and WFS POST parsing. So at the moment I'd like to just add a GeoServer setting to disable external entities loading: it be evaluated when creating parsers for SLD and WFS POST requests. Opinions? Regards, -- == Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information. == Davide Savazzi @svzdvd Senior Software Engineer GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313 fax: +39 0584 1660272 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
