I think this solution would be enough to close the security hole.
2013/7/24 Christian Mueller
> Done, please review at
>
>
> https://github.com/mcrmcr/geoserver-1/commit/7306ceaf1a9fc98ba4c8b00d733ee7bf9bfce0aa
>
>
> 2013/7/24 Christian Mueller
>
>> Yep, this is an argument. The URL path is
>
Done, please review at
https://github.com/mcrmcr/geoserver-1/commit/7306ceaf1a9fc98ba4c8b00d733ee7bf9bfce0aa
2013/7/24 Christian Mueller
> Yep, this is an argument. The URL path is
>
>
> http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=fa
Yep, this is an argument. The URL path is
http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false
Some improvments:
1)
Changing the ant pattern to "/web/" instead of "/web/**"
2)
Check that the number of parameters is 2
3)
Check that
wi
Hi,
I look at your code and are a little bit concerned about the solution for
Login-page itself.
Wouldn't it be easy to include "org.geoserver.web.GeoServerLoginPage" as a
part of the queryString in any url?
In that way this hack would be a fairly decent security hole.
Regards,
Roar Brænden
20
The issue is here
https://jira.codehaus.org/browse/GEOS-5921#comment-329355
The patch is here
https://github.com/mcrmcr/geoserver-1/commit/7c3e9aaf7aa4a625099fcd6bd88199b5ed1c15e7
The patch contains only a few lines, but it is a hack. As a consequence, a
review would be nice.
@Justin, I think
