Dear All,
(This email has been sent to Geotools Dev list, This is the Geoserver version )
I would like to submit the following GSIP : https://github.com/geoserver/geoserver/wiki/GSIP-189
Some Background and Context:
Geotools and Geoserver make a lot of HTTP calls, internally and externally for different purposes which include
-
Downloading Schemas
-
Requesting Online Images and Resources
-
Loading remote SLDs
-
Working with remote OGC servers
-
Other Misc calls that involve access resources outside the Data Directory
In some production environments this can be seen as a potential security loop hole where developers/users have no way of controlling what is being accessed.
Hence a new Interface is proposed to implement URL validation before making the HTTP call. Geotools developers will be able to register implementations through Simple Dependency Injection or directly registering SIngletons inside Factory classes.
Geoserver will receive its de-facto implementation of this interface in which URLs will be validated through Regex expressions configured through a Web interface. Geoserver will make use of Factory methods available in Geotools to register its implementation in the API
For backward compatibility, no validation will occur if no regex are configured.
Complete details are included on the proposal. Looking forward to everyone`s feedback
regards,
Imran
ยทยทยท
I.R