Hi Mark, Thank for the feedback
Allowing anything by default until a rule is added, sounds reasonable. regards, Imran On Fri, Feb 28, 2020 at 4:48 PM Mark Prins <mc.pr...@gmail.com> wrote: > On 28-02-2020 12:20, Imran Rajjad wrote: > > Dear All, > > I would like to submit the following GSIP : > > https://github.com/geoserver/geoserver/wiki/GSIP-189 > > > > *Some Background and Context:* > > ** > > Geotools and Geoserver make a lot of HTTP calls, internally and > > externally for different purposes which include > > > > > > * Downloading Schemas > > * Requesting Online Images and Resources > > * Loading remote SLDs > > * Working with remote OGC servers > > * Other Misc calls that involve access resources outside the Data > > Directory > > > > > > In some production environments this can be seen as a potential security > > loop hole where developers/users have no way of controlling what is > > being accessed. Hence a new Interface is proposed to implement URL > > validation before making the HTTP call. > > > > Geoserver will receive its de-facto implementation of this interface in > > which URLs will be validated through Regex expressions configured > > through Web Admin interface. By default Geoserver will have a number of > > known URLs allowed (e.g OGC Schema URls etc) > > > > Complete details are included on the proposal. Looking forward to > > everyone`s feedback > > > > instead of having a whitelist of allowed domains which is prone to fail > for subdomains I would think about having a default regex that will just > allow anything, or allow anything by default until a rule is added. > > -M > > > > _______________________________________________ > GeoTools-Devel mailing list > GeoTools-Devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geotools-devel > -- I.R
_______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
