I really like this idea, and look forward to checking out the proposal. There are a lot of libraries and places to configure that would need to be covered.
When you have a better idea on the geotools changes required can we make a proposal there also. May also need to have this as a standing concern when adding third party dependencies (if the new library makes http requests we would need to make sure it is configured to use your whitelist) On Fri, Feb 28, 2020 at 3:30 AM Imran Rajjad <raj...@gmail.com> wrote: > Dear All, > I would like to submit the following GSIP : > https://github.com/geoserver/geoserver/wiki/GSIP-189 > > *Some Background and Context:* > > Geotools and Geoserver make a lot of HTTP calls, internally and externally > for different purposes which include > > > > - Downloading Schemas > - Requesting Online Images and Resources > - Loading remote SLDs > - Working with remote OGC servers > - Other Misc calls that involve access resources outside the Data > Directory > > > In some production environments this can be seen as a potential security > loop hole where developers/users have no way of controlling what is being > accessed. Hence a new Interface is proposed to implement URL validation > before making the HTTP call. > > Geoserver will receive its de-facto implementation of this interface in > which URLs will be validated through Regex expressions configured through > Web Admin interface. By default Geoserver will have a number of known URLs > allowed (e.g OGC Schema URls etc) > > Complete details are included on the proposal. Looking forward to > everyone`s feedback > > > regards, > Imran > _______________________________________________ > GeoTools-Devel mailing list > GeoTools-Devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geotools-devel > -- -- Jody Garnett
_______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
