Hi,
This is about the CAS extension. We noticed that the retrieveService method in CasAuthenticationFilter.java always assumes that a key/value-pair (an URL parameter) has a value. See line 118 in:
https://github.com/geoserver/geoserver/blob/master/src/extension/security/cas/src/main/java/org/geoserver/security/cas/GeoServerCasAuthenticationFilter.java
The line in question:
String name = param.split(“=”)[0];
String value = param.split(“=”)[1]; // error if param has no value
However, this will result in an ArrayIndexOutOfRangeException if, for example a GetMap URL contains a parameter with no value, such as: “style=”
An example fix:
String keyValue = param.split(“=”);
if (keyValue.length == 0) continue;
String name = keyValue[0];
String value = (keyValue.length == 1) ? null : keyValue[1];
I guess this line should be adapted as well:
buff.append(name).append(“=”).append(value);
Why not just:
buf.append(param)
Greetz, Egon
Thanks Egon
Can you create a pull request on github , your changes are looking good.
Cheers
Chrstian
···
On Tue, Feb 25, 2014 at 5:54 PM, Egon Amade <egon.amade@anonymised.com> wrote:
Hi,
This is about the CAS extension. We noticed that the retrieveService method in CasAuthenticationFilter.java always assumes that a key/value-pair (an URL parameter) has a value. See line 118 in:
https://github.com/geoserver/geoserver/blob/master/src/extension/security/cas/src/main/java/org/geoserver/security/cas/GeoServerCasAuthenticationFilter.java
The line in question:
String name = param.split(“=”)[0];
String value = param.split(“=”)[1]; // error if param has no value
However, this will result in an ArrayIndexOutOfRangeException if, for example a GetMap URL contains a parameter with no value, such as: “style=”
An example fix:
String keyValue = param.split(“=”);
if (keyValue.length == 0) continue;
String name = keyValue[0];
String value = (keyValue.length == 1) ? null : keyValue[1];
I guess this line should be adapted as well:
buff.append(name).append(“=”).append(value);
Why not just:
buf.append(param)
Greetz, Egon
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
–
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
Ciao,
can we couple this PR with a JIRA so that we can decide if a backport is worth it?
···
Regards,
Simone Giannecchini
Ing. Simone Giannecchini
@simogeo
Founder/Director
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
On Wed, Feb 26, 2014 at 10:10 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:
Thanks Egon
Can you create a pull request on github , your changes are looking good.
Cheers
Chrstian
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
On Tue, Feb 25, 2014 at 5:54 PM, Egon Amade <egon.amade@anonymised.com7…> wrote:
Hi,
This is about the CAS extension. We noticed that the retrieveService method in CasAuthenticationFilter.java always assumes that a key/value-pair (an URL parameter) has a value. See line 118 in:
https://github.com/geoserver/geoserver/blob/master/src/extension/security/cas/src/main/java/org/geoserver/security/cas/GeoServerCasAuthenticationFilter.java
The line in question:
String name = param.split(“=”)[0];
String value = param.split(“=”)[1]; // error if param has no value
However, this will result in an ArrayIndexOutOfRangeException if, for example a GetMap URL contains a parameter with no value, such as: “style=”
An example fix:
String keyValue = param.split(“=”);
if (keyValue.length == 0) continue;
String name = keyValue[0];
String value = (keyValue.length == 1) ? null : keyValue[1];
I guess this line should be adapted as well:
buff.append(name).append(“=”).append(value);
Why not just:
buf.append(param)
Greetz, Egon
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
–
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
On Wed, Feb 26, 2014 at 6:36 PM, Simone Giannecchini <
simone.giannecchini@anonymised.com> wrote:
Ciao,
can we couple this PR with a JIRA so that we can decide if a backport is
worth it?
+1
Jjust an observation, a ticket in Jira is necessary anyways, for the
release notes, Christian/Egonplease add one and refer it from the commit
message:
http://jira.codehaus.org/browse/GEOS
Cheers
Andrea
--
== Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information ==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------