Hi Davide
A big +1 for pointing out this problem. I have similar issues in the
security subsystem (protecting specific files). I also thought
about using the Java security manager but this configuration has to be done
by the local admin. I would prefer hardening GeoServer by the developers.
(Package sealing, examining the stack trace,... in my case). Of course, we
cannot cover all vulnerabilities, so we have to enhance the documentation.
2013/1/22 Davide <davide.sava...@gmail.com>
> Hi,
>
> I'd like to discuss a couple of security issues related to parsing XML
> files coming from outside, both involve external entities evaluation:
>
> 1) XML Bombs (http://en.wikipedia.org/wiki/Billion_laughs)
>
> The environment variable entityExpansionLimit can be set on the
> GeoServer JVM to prevent this kind of attacks but it would be nice to
> have it enabled by default.
>
> Further security measures against DoS attacks can enabled turning on
> FEATURE_SECURE_PROCESSING on the standard XML parsers.
> This mode prevents parsing of abnormal files, so the parser will stop
> processing xml bombs and other xml files 'too big' (but we can't
> configure how much is 'too big').
>
> 2) Entities loaded from the local server
> (http://jira.codehaus.org/browse/GEOS-5273)
>
> To prevent GeoServer from reading sensitive files on the server, the
> Java SecurityManager of the server should be configured.
> But even with a restrictive SecurityManager, GeoServer must still be
> able to read in its data directory where we have sensitive
> information.
>
>
> In GeoTools and GeoServer I've seen 4 different parsers, instantiated
> in many different classes so there's no unique point where we can add
> a security control.
> I thought we could create a factory for every parser implementation,
> containing methods like createParser(Map settings).
> Factory settings could be used to enable customizations like an entity
> expansion limit, a custom EntityResolver that read entities only from
> a limited set of directories and so on.
>
> We're in a feature freeze state now but I need to fix those issues in
> at least 2 points: SLD and WFS POST parsing.
> So at the moment I'd like to just add a GeoServer setting to disable
> external entities loading: it be evaluated when creating parsers for
> SLD and WFS POST requests.
>
> Opinions?
>
> Regards,
> --
> ==
> Our support, Your Success! Visit http://opensdi.geo-solutions.it for
> more information.
> ==
>
> Davide Savazzi
> @svzdvd
> Senior Software Engineer
>
> GeoSolutions S.A.S.
> Via Poggio alle Viti 1187
> 55054 Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax: +39 0584 1660272
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
