Thanks for your help and to Thijs Brentjens.
Geoserver builds sucessfully and these changes have solved cross site scripting problem
According to our security audit we have a similar problem with error message. The following is deemed a risk :
/geoserver230/wms URL encoded GET input HEIGHT was set to Error
message found: java.lang.NumberFormatException:
For input string:
GET
/geoserver230/wms?FORMAT=image/png&HEIGHT=&LAYER=mylayer&REQUEST=GetLegendGraphic&Transparent=true&VERSION=1.0.0&WIDTH=20
I've checked the global settings that we are not outputing verbose messages.
Is there any way to change the error response or to redirect before this is output, or does the Java need changing again?
Our security scan software seems very strict, I don't see that many users with similar issues.
thanks
Justin Clowes | Jacobs | Principal GIS Developer, Information Management & GIS | +44.(0)141.243.8138 | +44.(0)7879 425506 (mobile) | justin.clowes@anonymised.com3822...<mailto:justin.clowes@anonymised.com> | www.jacobs.com<http://www.jacobs.com/>
________________________________
From: andrea.aime@anonymised.com [mailto:andrea.aime@anonymised.com] On Behalf Of Andrea Aime
Sent: 29 August 2013 09:32
To: Clowes, Justin
Cc: Geoserver-devel
Subject: Re: [Geoserver-devel] cross site scripting vulnerability
On Wed, Aug 28, 2013 at 6:05 PM, Clowes, Justin <Justin.Clowes@anonymised.com<mailto:Justin.Clowes@anonymised.com>> wrote:
Ok I've made these changes and I'm attempting to compile geoserver in Maven.
I'm afraid I'm new to Maven and this build process.
I'm getting the build error :
[ERROR]
\geoserver233b\geoserver-2.3.3\platform\src\main\java\org\geoserver\plat
form\ServiceException.java:[193,9] cannot find symbol
[ERROR] symbol : variable Encode
"Encode" is a separate component in a jar file.
Can anyone tell me where this jar file should be placed and how it is should
be referenced in the pom.xml
I already have the following in ows\pom.xml
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.1</version>
<scope>system</scope>
<systemPath>${basedir}/encoder-1.1.jar</systemPath>
</dependency>
I'm trying to add a path to the jar file but I'm not sure if this is the
correct approach.
With Maven you never have jars to be installed locally or to be put among the
sources, you just declare a dependency and Maven will download it on
the disk in the proper place for you.
I believe this is the dependency you're looking for?
http://mvnrepository.com/artifact/org.owasp.encoder/encoder/1.1
Cheers
Andrea
--
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
________________________________
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
________________________________
Jacobs U.K. Limited
1180 Eskdale Road, Winnersh, Wokingham RG41 5TU
Registered in England and Wales under number 2594504