[Geoserver-devel] Platform independent binary is broken on main

I’ve just created https://osgeo-org.atlassian.net/browse/GEOS-11224 - basically you can’t have .. in the data directory path any longer, which we do by default, I’m guessing this is caused by one of the recent security fixes, does it ring a bell with anyone?

Ian

···

Ian Turton

The URL check normalizes relative paths before checking; so that should be fixable.

···

Ian Turton

Likely starting GeoServer form inside the “bin” folder?
It’s something I never do.

I’ve tried with a 2.24.1 I had handy and:

  • Starting as usual from the top, calling “bin/startup.sh”, no problem
  • Getting into “bin” and starting from there… boom! From the logs:
    GEOSERVER DATA DIR is /home/aaime/devel/gs_releases/geoserver-2.24.1/bin/…/data_dir


---- Debugging information ----
cause-exception : java.lang.IllegalArgumentException
cause-message : Contains invalid ‘…’ path: /home/aaime/devel/gs_releases/geoserver-2.24.1/bin/…/data_dir
class : org.geoserver.catalog.impl.DataStoreInfoImpl
required-type : org.geoserver.catalog.impl.DataStoreInfoImpl
converter-type : org.geoserver.config.util.XStreamPersister$StoreInfoConverter
line number : 17
version : 2.24.1

···

Ian Turton

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

I tested also, and determined that the only way to get that path was to start from the bin folder.
However that is working for me, testing geoserver-main-latest-bin download. I added some notes to the ticket also.

I am assuming URLChecks are being enabled by default on main.

Ian do you have any more information about your setup?

···


Jody Garnett

Ian Turton

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

I tested also, and determined that the only way to get that path was to start from the bin folder.
However that is working for me, testing geoserver-main-latest-bin download. I added some notes to the ticket also.

I am assuming URLChecks are being enabled by default on main.

Ian do you have any more information about your setup?

I was indeed in bin to run start.sh - it’s Java 17, Ubuntu 22.04 usual terminal, only WPS module installed

Seems like calling b.getCanonicalPath() at some point would solve the problem

I’m just not sure where

Ian

···


Jody Garnett

Ian Turton

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Ian Turton

This is probably being caused by one of my fixes.
https://github.com/geoserver/geoserver/pull/7222
https://github.com/geoserver/geoserver/security/advisories/GHSA-9v5q-2gwq-q9hq

Steve Ikeoka

···

From: Ian Turton <ijturton@…403…>
Sent: Thursday, December 7, 2023 7:23 AM
To: Jody Garnett <jody.garnett@…403…>
Cc: Geoserver-devel geoserver-devel@lists.sourceforge.net
Subject: Re: [Geoserver-devel] Platform independent binary is broken on main

On Thu, 7 Dec 2023 at 15: 07, Jody Garnett <jody. garnett@ gmail. com> wrote: I tested also, and determined that the only way to get that path was to start from the bin folder. However that is working for me, testing geoserver-main-latest-bin
ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

Please use caution with links, attachments, and any requests for credentials.

ZjQcmQRYFpfptBannerEnd

On Thu, 7 Dec 2023 at 15:07, Jody Garnett <jody.garnett@…403…> wrote:

I tested also, and determined that the only way to get that path was to start from the bin folder.
However that is working for me, testing geoserver-main-latest-bin download. I added some notes to the ticket also.

I am assuming URLChecks are being enabled by default on main.

Ian do you have any more information about your setup?

I was indeed in bin to run start.sh - it’s Java 17, Ubuntu 22.04 usual terminal, only WPS module installed

Seems like calling b.getCanonicalPath() at some point would solve the problem

I’m just not sure where

Ian


Jody Garnett

On Dec 7, 2023 at 7:02:51 AM, Andrea Aime <andrea.aime@…6887…> wrote:

Likely starting GeoServer form inside the “bin” folder?
It’s something I never do.

I’ve tried with a 2.24.1 I had handy and:

  • Starting as usual from the top, calling “bin/startup.sh”, no problem
  • Getting into “bin” and starting from there… boom! From the logs:
    GEOSERVER DATA DIR is /home/aaime/devel/gs_releases/geoserver-2.24.1/bin/…/data_dir


---- Debugging information ----
cause-exception : java.lang.IllegalArgumentException
cause-message : Contains invalid ‘…’ path: /home/aaime/devel/gs_releases/geoserver-2.24.1/bin/…/data_dir
class : org.geoserver.catalog.impl.DataStoreInfoImpl
required-type : org.geoserver.catalog.impl.DataStoreInfoImpl
converter-type : org.geoserver.config.util.XStreamPersister$StoreInfoConverter
line number : 17
version : 2.24.1

at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:81)
at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:136)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1464)

Looking at the bin I have handy, 2.23.3 is still working fine, even with URL checks enabled (enabled them and restarted).
GeoServer 2.24.0 also loads fine from bin, with a relative data dir.
But 2.24.1 does not so… check the differences between 2.24.0 and 2.24.1

Cheers
Andrea

On Thu, Dec 7, 2023 at 1:00 PM Ian Turton <ijturton@…403…> wrote:

I’ve just created https://osgeo-org.atlassian.net/browse/GEOS-11224 - basically you can’t have .. in the data directory path any longer, which we do by default, I’m guessing this is caused by one of the recent security fixes, does it ring a bell with anyone?

Ian

Ian Turton


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Ian Turton

Jody,
I don’t think it’s URL checks, as indicated, it’s not happening on 2.23.x with URL checks enabled.
Grepping for the error message I’ve found this:

https://github.com/geoserver/geoserver/blob/b5994fa08938d8c8d3d894fdaf889da2d4a97eeb/src/platform/src/main/java/org/geoserver/platform/resource/Files.java#L65

Looks like a possible candidate, it’s a recent change as well, and while it’s on 2.23.x, it’s not found in 2.23.3 (landed after that release).

Cheers
Andrea

···


Jody Garnett

Ian Turton

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Sorry, not happening on 2.23.3

Cheers
Andrea

···

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Looks like it is a combo of how you run startup.sh (if it produces a relative path or not), and being more careful of the use of relative paths within data directory.

There is a PR https://github.com/geoserver/geoserver/pull/7317 to review.

···


Jody Garnett

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

This is addressed and maintenance release can go out this week as planned (assuming we have a volunteer to do so).

···


Jody Garnett


Jody Garnett

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail