On 28-02-2020 12:20, Imran Rajjad wrote:
Dear All,
I would like to submit the following GSIP :
https://github.com/geoserver/geoserver/wiki/GSIP-189
*Some Background and Context:*
**
Geotools and Geoserver make a lot of HTTP calls, internally and
externally for different purposes which include
* Downloading Schemas
* Requesting Online Images and Resources
* Loading remote SLDs
* Working with remote OGC servers
* Other Misc calls that involve access resources outside the Data
Directory
In some production environments this can be seen as a potential security
loop hole where developers/users have no way of controlling what is
being accessed. Hence a new Interface is proposed to implement URL
validation before making the HTTP call.
Geoserver will receive its de-facto implementation of this interface in
which URLs will be validated through Regex expressions configured
through Web Admin interface. By default Geoserver will have a number of
known URLs allowed (e.g OGC Schema URls etc)
Complete details are included on the proposal. Looking forward to
everyone`s feedback
instead of having a whitelist of allowed domains which is prone to fail
for subdomains I would think about having a default regex that will just
allow anything, or allow anything by default until a rule is added.
-M
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
