[Geoserver-devel] [jira] (GEOS-5273) external SLD reference in getMap allows access to host filesystem because of external entities

Rudi Hochmeister created BugGEOS-5273
external SLD reference in getMap allows access to host filesystem because of external entities

Issue Type:

BugBug

Affects Versions:

2.1.3

Assignee:

Andrea Aime

Components:

Security

Created:

16/Aug/12 8:08 AM

Description:

With a prepared external SLD Rule, it is possible to access sensitive system files in /etc on the host machine and display it as an image.
For instance, one can get access to /etc/passwd, but I will not post this particular getMap request here. I can’t post the actual request here, because it affects our public service. I will mail the request to a geoserver developer if requested.

It is also possible to drop a XML Bomb, but this is another story.

Disabling use of external entities would be solution if it can be done.

Environment:

linux java6

Project:

GeoServer

Priority:

MajorMajor

Reporter:

Rudi Hochmeister

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your [JIRA administrators](https://jira.codehaus.org/secure/ContactAdministrators!default.jspa). For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)