Wouter Kobes created an issue |
Issue Type: |
Bug |
---|---|
Assignee: |
Unassigned |
Created: |
31/Mar/22 1:07 PM |
Priority: |
Medium |
Reporter: |
There seem to be several problems within the ENTITY_RESOLUTION_ALLOWLIST setting, which can be used to reduce the http/https sources that are allowed by the application. I have encountered two functional bugs and one security issue. Of the latter I will send an email with details. The first bug is encountered here: https://github.com/geoserver/geoserver/blob/c4e0c506024bbf455430fad33d25e938c85952c6/src/main/src/main/java/org/geoserver/util/EntityResolverProvider.java#L124 {noformat }} else if (!“”.equals(allowed.trim())) {{ noformat} Should be {noformat }} else if (“”.equals(allowed.trim())) {{ noformat} Otherwise the content of the entity resolution allowlist is never parsed. The second issue is in https://github.com/geoserver/geoserver/blob/c4e0c506024bbf455430fad33d25e938c85952c6/src/main/src/main/java/org/geoserver/util/AllowListEntityResolver.java#L112 The getExternalSubset function is used when the allowlist is set.
systemId is set to null. However, resolveEntity tries to parse systemId to an URI:
Thus a NullPointerException is thrown, and caught in line 164. This results to a SAXException thrown in line 169 with message “Entity resolution disallowed for null” for any resolution attempt. The security vulnerability will be reported through email, but could lead to bypass of the setting (if the previous two bugs are addressed) |
Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS |
|
This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100197-sha1:666e164) |