[Geoserver-devel] [JIRA] (GEOS-10392) Sending the contents of a tiff file to an "external.geotiff" endpoint in the REST API will crash GeoServer

Ian Turton created an issue

GeoServer / BugGEOS-10392

Sending the contents of a tiff file to an “external.geotiff” endpoint in the REST API will crash GeoServer

Issue Type:

BugBug

Affects Versions:

2.20.2

Assignee:

Unassigned

Components:

REST

Created:

16/Feb/22 6:11 PM

Priority:

MediumMedium

Reporter:

Ian Turton

If while creating a coverage store via REST using a remote file location (and you happen to be on the same machine) if you leave the @ sign in your CURL commandline, GeoServer receives the content of the tif as the URL location of the file and attempts to use it with out any checking. This causes what looks like a buffer overflow and kills the server. A very carefully constructed tif file could cause a security problem (in theory) and it does DOS the machine even if unintentionally.

It would be good if we carried out some basic checks before blindly changing it into a URL.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100191-sha1:831671b)

Atlassian logo