Hi Jody, I only "found" the ENTITY_RESOLUTION_ALLOWLIST setting while searching for a fix of the error described at the beginning of this message thread. It might be that I missed reading the change logs at some point in time before. The documentation is good so I didn't have problems understanding the purpose and how to configure it, although in 2.25.0 it didn't work as expected in conjunction with the GeoFence Server plugin. Fortunately this has been fixed in 2.25.1.
Regarding your other questions: I couldn't get any SLD style to validate and also tried the 'point' style of the default data dir in the 2.25.0 release, which led to the same result. I'm using the Windows 64-bit version of the latest Eclipse Temurin 17 release. Best regards Daniel From: Jody Garnett <jody.garn...@gmail.com> Sent: Montag, 17. Juni 2024 18:13 To: Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at> Cc: Jean-Christophe Bastin <jcbas...@thelis.be>; geoserver-users <geoserver-users@lists.sourceforge.net> Subject: [EXTERN!]: Re: [Geoserver-users] WMS broken after GeoServer Update (SAXException) Hey folks, I added the ENTITY_RESOLUTION_ALLOWLIST option for a long time but nobody was noticing very much! I am glad you found the setting and have been working though how it works. You are correct that it is used to mitigate the service side request forgery attacks. Some software is very susceptible to being attacked (like with headers and stuff) and we did not wish GeoServer to be the cause of trouble. Since it was enabled by default we made some more improvements for the 2.25.1 release which are mentioned in the release notes. The use of ENTITY_RESOLUTION_ALLOWLIST=* would allow GeoServer to access *any* http location. The External Entity setting security risk allows any location on disk to be accessed (which is required for things like application schema where you have your schema files in the data directory). It is preferable to host your schema somewhere public, like maybe the geoserver/www folder. And you can list additional locations in the ENTITY_RESOLUTION_ALLOWLIST value. Q: Did any of you find the documentation? * https://docs.geoserver.org/latest/en/user/production/config.html#external-entities-resolution * https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities Q: The "null" thing was a surprise to me - it was when the external entity was a DTD (and thus did not have a name). The error message assumed everything would have a name and that the name would be a useful way to tell what could not be found in your document. -- Jody Garnett On Jun 17, 2024 at 5:22:37 AM, Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at<mailto:daniel.calli...@stadt-salzburg.at>> wrote: Hello Jean-Christophe, I just upgraded to V2.25.1 and the error is gone, so no more workaround is necessary. Regards Daniel From: Jean-Christophe Bastin <jcbas...@thelis.be<mailto:jcbas...@thelis.be>> Sent: Dienstag, 23. April 2024 12:05 To: Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at<mailto:daniel.calli...@stadt-salzburg.at>>; 'geoserver-users' <geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>> Subject: Re: [Geoserver-users] WMS broken after GeoServer Update (SAXException) Hello Daniel, Thank you very much for the details. As you advice, I changed my configuration to not check this global setting, and set the parameter ENTITY_RESOLUTION_ALLOWLIST=* in the web.xml of GeoServer. It looks like the error message is gone in this way. Regards, Jean-Christophe De : Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at<mailto:daniel.calli...@stadt-salzburg.at>> Envoyé : lundi 22 avril 2024 17:50 À : Jean-Christophe Bastin <jcbas...@thelis.be<mailto:jcbas...@thelis.be>>; 'geoserver-users' <geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>> Objet : RE: WMS broken after GeoServer Update (SAXException) Hello Jean-Christophe, when users upload XML documents to your server those files can contain links to other documents (f.e. for namespace or schema definitions). An attacker could send a document containing links to files on the server's disk and somehow cause the server to leak this information I think. Or include links to ressources on the internet that lead GeoServer to misbehave. More specific information might come from the GeoServer developers. See also https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities in the documenation. So I'm trying to avoid weakening the External Entity settings if possible. And also would suggest you use the "-DENTITY_RESOLUTION_ALLOWLIST=*" parameter (see https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) for the moment because it only allows access to online ressources, not to local files on the server. Regards Daniel From: Jean-Christophe Bastin <jcbas...@thelis.be<mailto:jcbas...@thelis.be>> Sent: Montag, 22. April 2024 16:41 To: Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at<mailto:daniel.calli...@stadt-salzburg.at>>; 'geoserver-users' <geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>> Subject: RE: WMS broken after GeoServer Update (SAXException) Hello Daniel, I found a solution. I don’t know if this is the same behavior than your parameter DENTITY_RESOLUTION_ALLOWLIST=*. In Configuration, Global, you have “Unlimited resolution of XML external entities (security risk)” (this is translated from french, sorry if it’s not exactly the same words). After checked and applied changes, the error is gone when consulting layers. BUT, I see the “security risk” with this parameter, and I don’t know what is it exactly. If someone can explain what is it talking about, I’ll appreciate it :) Many thanks. Jean-Christophe De : Jean-Christophe Bastin Envoyé : lundi 22 avril 2024 16:13 À : Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at<mailto:daniel.calli...@stadt-salzburg.at>>; 'geoserver-users' <geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>> Objet : RE: WMS broken after GeoServer Update (SAXException) Hello, I was about to write an equivalent message to the community for the same error. In my case, I’m updating from GeoServer 2.10.0 to 2.25.0. I had many issues that I was able to manage by myself. But the last issue (I hope) I see now is for any layer I want to preview, or access to show, I get also a service exception “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. I’m really interested to have also some support on this point. Many thanks. Jean-Christophe De : Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at<mailto:daniel.calli...@stadt-salzburg.at>> Envoyé : lundi 22 avril 2024 15:00 À : 'geoserver-users' <geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>> Objet : [Geoserver-users] WMS broken after GeoServer Update (SAXException) Hi, I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can't preview WMS layers. The error message is: "java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null". The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the 'point' style. I now found out that when I'm starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn't be necessary because the styles are only containing references to www.opengis.net<http://www.opengis.net> and www.w3.org<http://www.w3.org> which are in the default list of allowed domains for entity expansion according to the documentation<https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities>. The geoserver log shows a lot of "WARN [geotools.xsd] - Sax parser property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' not recognized. Xerces version is incompatible." messages. Might there be a connection to the above issue? Am I doing something wrong? Thank you and best regards Daniel _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
