[Geoserver-devel] Funny requests sending the dispatcher belly up

Hi,
recently I’ve been wrestling with QGIS sending really funny requests to GeoServer, that are causing
a not so nice ClassCastException. Here is a sample, it’s a POST request at this URL:

http://host:port/geoserver/ows?service=WFS&version=1.0.0&request=GetFeature&typename=wfs_services:NykoebingFalster_Nordre_Gravsted&srsname=EPSG:25832&&SERVICE=WFS

with body:

<?xml version='1.0' encoding='UTF-8'?>




GEOLOC</Name](http://www.opengis.net/wfs">GEOLOC</Name)>

<gml:Polygon srsName=“EPSG:25832”>
gml:outerBoundaryIs
gml:LinearRing
<gml:coordinates cs=“,” ts=" ">684597.32496083003934473,6074046.84533082041889429 684599.65853476000484079,6074045.35563404019922018 684600.50785672001075,6074046.60537965968251228
684596.93145069386810064,6074050.5842448528856039 684597.32496083003934473,6074046.84533082041889429</gml:coordinates>
</gml:LinearRing>
</gml:outerBoundaryIs>
</gml:Polygon>






See how the beast is setup? In the URL we have a valid GetFeature, but the body is a valid Transaction. The dispatcher parses the Transaction
as the request parameter for the service, but then decides to dispatch it to the getFeature method of DefaultWebFeatureService and… boom.

I looked at the code and found that the service/version/method found in the body are ignored if some are found in the URL:
https://github.com/geoserver/geoserver/blob/master/src/ows/src/main/java/org/geoserver/ows/Dispatcher.java#L493

So I said, surely if we have a body in OGC request we should be trusting the body over the URL, no? No… that breaks a test for a old WMS
extension we have supported since… dunno when, but longer that I’ve been around in GeoServer:

https://github.com/geoserver/geoserver/blob/master/src/wms/src/test/java/org/geoserver/wms/wms_1_1_1/GetMapIntegrationTest.java#L545

See? In this case the service/version/method are coming from the URL and the body is just a style object… so in this case we cannot trust
the body, the request is actually fully coming from the URL.

As usual I’m not inclined to break backwards compatibility, so I would like to propose the following, trust the body if possible, but
if we find out that the method being request (matching the root element name) does not exist, then we circle back and see if we can
trust the information in the URL instead.

Opinions? I have a tentative patch I can share (no tests yet, of course I’ll write some if nobody asks for changes):
https://github.com/aaime/geoserver/commit/88d5de5da7f48f87ab0367462116f725960478ab

Cheers
Andrea

···

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313

fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On vendredi 2 décembre 2016 17:52:37 CET Andrea Aime wrote:

Hi,

recently I’ve been wrestling with QGIS sending really funny requests to

GeoServer, that are causing

a not so nice ClassCastException. Here is a sample, it’s a POST request at

this URL:

FYI, I’ve been emailed about the same issue but from the perspective of QGIS. Ultimately, this should be fixed in QGIS since such requests are wrong and I wouldn’t expect a WFS server to make sense of them.

Even

Spatialys - Geospatial professional services

http://www.spatialys.com

On Fri, Dec 2, 2016 at 6:19 PM, Even Rouault <even.rouault@anonymised.com>
wrote:

On vendredi 2 décembre 2016 17:52:37 CET Andrea Aime wrote:

> Hi,

> recently I've been wrestling with QGIS sending really funny requests to

> GeoServer, that are causing

> a not so nice ClassCastException. Here is a sample, it's a POST request
at

> this URL:

FYI, I've been emailed about the same issue but from the perspective of
QGIS. Ultimately, this should be fixed in QGIS since such requests are
wrong and I wouldn't expect a WFS server to make sense of them.

Interesting... wondering how you're going to implement that? Like, wiping
out everything past the ? won't work with mapserver, that
normally needs a reference to a mapfile.
But maybe just removing service/request/version would do the trick.

Do you already know in which version of QGIS the fix will land?

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

On vendredi 2 décembre 2016 18:22:38 CET Andrea Aime wrote:

On Fri, Dec 2, 2016 at 6:19 PM, Even Rouault even.rouault@anonymised.com

wrote:

On vendredi 2 décembre 2016 17:52:37 CET Andrea Aime wrote:

Hi,

recently I’ve been wrestling with QGIS sending really funny requests to

GeoServer, that are causing

a not so nice ClassCastException. Here is a sample, it’s a POST request

at

this URL:

FYI, I’ve been emailed about the same issue but from the perspective of

QGIS. Ultimately, this should be fixed in QGIS since such requests are

wrong and I wouldn’t expect a WFS server to make sense of them.

Interesting… wondering how you’re going to implement that? Like, wiping

out everything past the ? won’t work with mapserver, that

normally needs a reference to a mapfile.

But maybe just removing service/request/version would do the trick.

There are 2 issues in fact:

  • &SERVICE=WFS is always appended at the end of the URL, which is not necessary (but probably not critical)

  • the other parameters come from the user. In past QGIS versions, folks used to put full GetFeature queries (or at least something with VERSION & SRSNAME), so some sanitizing is necessary in that case. But yes I would strip SERVICE, REQUEST, VERSION, TYPENAME(s), SRSNAME, anything that is a WFS KVP.

Do you already know in which version of QGIS the fix will land?

I’m not sure. Perhaps this can be addressed during the next sponsored QGIS bugfixing session. A first step would be to have a ticket in the QGIS tracker about that.

Even

Spatialys - Geospatial professional services

http://www.spatialys.com

I kind of agree with Even in that this request is bogus and really does seem like it should be fixed on the sender side. That said the patch doesn’t seem too invasive so looks like a sensible solution to me as well. The worry is that if the dispatcher starts to try to accommodate these kinds of client bugs and peculiarities how far down that rabbit hole will one go :slight_smile:

$0.02

···

On Fri, Dec 2, 2016 at 6:19 PM, Even Rouault <even.rouault@anonymised.com> wrote:

On vendredi 2 décembre 2016 17:52:37 CET Andrea Aime wrote:

Hi,

recently I’ve been wrestling with QGIS sending really funny requests to

GeoServer, that are causing

a not so nice ClassCastException. Here is a sample, it’s a POST request at

this URL:

FYI, I’ve been emailed about the same issue but from the perspective of QGIS. Ultimately, this should be fixed in QGIS since such requests are wrong and I wouldn’t expect a WFS server to make sense of them.

Interesting… wondering how you’re going to implement that? Like, wiping out everything past the ? won’t work with mapserver, that
normally needs a reference to a mapfile.
But maybe just removing service/request/version would do the trick.

Do you already know in which version of QGIS the fix will land?

Cheers

Andrea

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313

fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On Fri, Dec 2, 2016 at 6:31 PM, Even Rouault <even.rouault@anonymised.com>
wrote:

There are 2 issues in fact:

- &SERVICE=WFS is always appended at the end of the URL, which is not
necessary (but probably not critical)

- the other parameters come from the user. In past QGIS versions, folks
used to put full GetFeature queries (or at least something with VERSION &
SRSNAME), so some sanitizing is necessary in that case. But yes I would
strip SERVICE, REQUEST, VERSION, TYPENAME(s), SRSNAME, anything that is a
WFS KVP.

Agreed, good thinking.

>

> Do you already know in which version of QGIS the fix will land?

I'm not sure. Perhaps this can be addressed during the next sponsored QGIS
bugfixing session. A first step would be to have a ticket in the QGIS
tracker about that.

If the patch I am proposing gets in, the compatibility between the two
systems could be addressed by Dec 18th with the 2.10.1 release.
The trouble being, that it's hard to update a lot of QGIS installations,
compared to a single GeoServer one (referring to an organization
using both, WFS-T is normally not offered to the wide public).

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

Pull request here: https://github.com/geoserver/geoserver/pull/2010

Would be nice if we could get these fixes in 2.10.1

Cheers
Andrea

···

On Fri, Dec 2, 2016 at 6:32 PM, Justin Deoliveira <jdeolive@anonymised.com> wrote:

I kind of agree with Even in that this request is bogus and really does seem like it should be fixed on the sender side. That said the patch doesn’t seem too invasive so looks like a sensible solution to me as well. The worry is that if the dispatcher starts to try to accommodate these kinds of client bugs and peculiarities how far down that rabbit hole will one go :slight_smile:

$0.02

On Fri, Dec 2, 2016 at 10:24 AM Andrea Aime <andrea.aime@anonymised.com> wrote:


Check out the vibrant tech community on one of the world’s most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

On Fri, Dec 2, 2016 at 6:19 PM, Even Rouault <even.rouault@anonymised.com> wrote:

On vendredi 2 décembre 2016 17:52:37 CET Andrea Aime wrote:

Hi,

recently I’ve been wrestling with QGIS sending really funny requests to

GeoServer, that are causing

a not so nice ClassCastException. Here is a sample, it’s a POST request at

this URL:

FYI, I’ve been emailed about the same issue but from the perspective of QGIS. Ultimately, this should be fixed in QGIS since such requests are wrong and I wouldn’t expect a WFS server to make sense of them.

Interesting… wondering how you’re going to implement that? Like, wiping out everything past the ? won’t work with mapserver, that
normally needs a reference to a mapfile.
But maybe just removing service/request/version would do the trick.

Do you already know in which version of QGIS the fix will land?

Cheers

Andrea

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313

fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313

fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.