[Geoserver-devel] Pull request for xss vulnerability in OpenLayers WMS output format

Hi,
I prepared https://github.com/geoserver/geoserver/pull/647 to solve GEOS-5318.

Should be quite straightforward, can I merge before freeze?

Thanks
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Please, and t hanks for including a test case.

In general the strategy for the beta is to get code in front of the public for review and to help share the QA burden :slight_smile:

···

Jody Garnett

On Tue, Jul 15, 2014 at 10:32 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi,
I prepared https://github.com/geoserver/geoserver/pull/647 to solve GEOS-5318.

Should be quite straightforward, can I merge before freeze?

Thanks
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world’s largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Thanks.
Is it ok to backport the fix for 2.5.2 or is it too late?

Mauro

···

Jody Garnett

On Tue, Jul 15, 2014 at 10:32 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi,
I prepared https://github.com/geoserver/geoserver/pull/647 to solve GEOS-5318.

Should be quite straightforward, can I merge before freeze?

Thanks
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world’s largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Andrea is the keeper of 2.5.x branch this week - perhaps buy him a drink?

In general we try and let work hang out on master for a month before considering it stable enough for a back port. I think an exception could be made for a security vulnerability.

···

Jody Garnett

On Tue, Jul 15, 2014 at 9:51 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Thanks.
Is it ok to backport the fix for 2.5.2 or is it too late?

Mauro

Il 15/lug/2014 19:57 “Jody Garnett” <jody.garnett@…403…> ha scritto:

Please, and t hanks for including a test case.

In general the strategy for the beta is to get code in front of the public for review and to help share the QA burden :slight_smile:

Jody Garnett

On Tue, Jul 15, 2014 at 10:32 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi,
I prepared https://github.com/geoserver/geoserver/pull/647 to solve GEOS-5318.

Should be quite straightforward, can I merge before freeze?

Thanks
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world’s largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

+1 for the backport since it is a security issue.

Christian

···

On Wed, Jul 16, 2014 at 6:47 PM, Jody Garnett <jody.garnett@anonymised.com> wrote:

Andrea is the keeper of 2.5.x branch this week - perhaps buy him a drink?

In general we try and let work hang out on master for a month before considering it stable enough for a back port. I think an exception could be made for a security vulnerability.


Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world’s largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Jody Garnett

On Tue, Jul 15, 2014 at 9:51 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Thanks.
Is it ok to backport the fix for 2.5.2 or is it too late?

Mauro

Il 15/lug/2014 19:57 “Jody Garnett” <jody.garnett@…403…> ha scritto:

Please, and t hanks for including a test case.

In general the strategy for the beta is to get code in front of the public for review and to help share the QA burden :slight_smile:

Jody Garnett

On Tue, Jul 15, 2014 at 10:32 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi,
I prepared https://github.com/geoserver/geoserver/pull/647 to solve GEOS-5318.

Should be quite straightforward, can I merge before freeze?

Thanks
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world’s largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

On Wed, Jul 16, 2014 at 6:47 PM, Jody Garnett <jody.garnett@anonymised.com>
wrote:

Andrea is the keeper of 2.5.x branch this week - perhaps buy him a drink?

In general we try and let work hang out on master for a month before
considering it stable enough for a back port. I think an exception could be
made for a security vulnerability.

Mauro, did you test this in anger? If we break 2.5.2 due to a late commit,
the next release for users will be available only in 3 months now (in
september we have 2.6.0,
there will not be a 2.5.3 then)

https://github.com/geoserver/geoserver/wiki/Release-Schedule

If you feel it's really solid, since it's a security issue, I'm good with
backporting. But let's make sure.

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Hi,

···

2014-07-17 9:34 GMT+02:00 Andrea Aime <andrea.aime@anonymised.com>:

I feel quite confident. The change is simple and limited. The pull request is here: https://github.com/geoserver/geoserver/pull/655
Feel free to merge or not.

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Wed, Jul 16, 2014 at 6:47 PM, Jody Garnett <jody.garnett@anonymised.com> wrote:

Andrea is the keeper of 2.5.x branch this week - perhaps buy him a drink?

In general we try and let work hang out on master for a month before considering it stable enough for a back port. I think an exception could be made for a security vulnerability.

Mauro, did you test this in anger? If we break 2.5.2 due to a late commit, the next release for users will be available only in 3 months now (in september we have 2.6.0,
there will not be a 2.5.3 then)

https://github.com/geoserver/geoserver/wiki/Release-Schedule

If you feel it’s really solid, since it’s a security issue, I’m good with backporting. But let’s make sure.

On Thu, Jul 17, 2014 at 11:42 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

I feel quite confident. The change is simple and limited. The pull request
is here: https://github.com/geoserver/geoserver/pull/655

Looked at the pull request, it's indeed a trivial chance. Merged :slight_smile:

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------