[Geoserver-devel] [JIRA] (GEOS-8913) Layer Preview URL contained a potentially malicious String

GeoServer GeoServer Developer
1

Jody Garnett created an issue

GeoServer / BugGEOS-8913

Layer Preview URL contained a potentially malicious String

Issue Type:

BugBug

Affects Versions:

2.14-RC

Assignee:

Unassigned

Components:

Wicket UI

Created:

03/Sep/18 11:33 AM

Priority:

LowLow

Reporter:

Jody Garnett

This may be a difficult error to isolate, occurred when:

  1. start GeoServer with default release data directory

  2. Click layer preview, looks like establishing a session had bad luck and the jsessionid contained an invalid character

03 Sep 12:27:30 WARN [servlet.ServletHandler] - /geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage;jsessionid=qemha14d2ivnrpw70w26p29v
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:141)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:90)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:79)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:46)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	...

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS

This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100091-sha1:0a6ef10)

Atlassian logo