[Geoserver-users] Dynamic generated image url in SLD not working in 2.23.2

Hello

After upgrading to Geoserver 2.23.2 (from version 2.22.3) some of your dynamic image url’s (In SLD’s) stopped working, and we are getting som errors:

URI.normalize() not available for location:

Path.normalize() not available for location:

Error occurred evaluating external graphic org.geotools.data.ows.URLCheckerException: Unable to normalize location:

The url is as follows:

https:///ImageHandler.ashx?parameters=&imageurl=https:///Images/NorthArrows/northmicro.png&wkt=POLYGON|((588873.93564633|6137127.0831221,|588873.93564633|6137249.5831221,|588996.43564633|6137249.5831221,|588996.43564633|6137127.0831221,|588873.93564633|6137127.0831221))&plotscale=3500&wms_scale_denominator=3306.045340050377&wms_height=1123&wms_width=794&wms_bbox=588313.93564633|589048.93564633,6136262.5831221|6137302.0831221

···






The url works as expected from the service we are calling and it is returning the correct image, and have been working perfectly on older versions of geoserver.

Do any of you have an idea of what has changed in 2.23.2?











Med venlig hilsen / Best regards







Karsten Darré



GIS-udvikler

As described on the blog announcement (https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html) this release includes a URL Checking function to prevent OGC processes from calling arbitrary URLs as a security enhancement.

You will need to white list the __https://**********/ImageHandler.ashx__ url (but be careful escaping those *)

Ian

···

Ian Turton

New security check, described in the GeoServer 2.23.2 release announcement:
https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

and documented in detail here:
https://docs.geoserver.org/maintain/en/user/security/urlchecks.html

You’ll have to whitelist the host that generates the dynamic images

Cheers
Andrea

···

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

I looked at the example URL and it is getting blocked because of a “java.net.URISyntaxException: Illegal character in query”. The URL checking feature was modified to reject URLs that contain invalid characters to prevent them from bypassing the URL normalization and allowing access to arbitrary URL paths. A feature enhancement would be to modify the URL normalization to properly normalize the URL path even with invalid characters in the query and fragment.

If it is feasible to modify your image URLs, changing all of the “|” characters to the string “%7c” should allow it to pass the URL check although your image service will have to know to decode it.

Steve Ikeoka

···

From: Andrea Aime <andrea.aime@…10949…>
Sent: Friday, September 1, 2023 3:00 AM
To: Karsten Darré <KDA@…10084…>
Cc: geoserver-users@lists.sourceforge.net geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Dynamic generated image url in SLD not working in 2.23.2

[External: Use caution with links & attachments]

On Fri, Sep 1, 2023 at 11:34 AM Karsten Darré via Geoserver-users <geoserver-users@lists.sourceforge.net> wrote:



Do any of you have an idea of what has changed in 2.23.2?

New security check, described in the GeoServer 2.23.2 release announcement:
https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

and documented in detail here:
https://docs.geoserver.org/maintain/en/user/security/urlchecks.html

You’ll have to whitelist the host that generates the dynamic images

Cheers
Andrea

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Hello Steve

Thank you for the information, we will try this out, it is possible to change all the pipes out :blush:

Again thank you very much for the help!

···

Med venlig hilsen



Karsten Darré



GIS-udvikler





Fra: Ikeoka, Steve <Steve.Ikeoka@…4839…>
Sendt: 1. september 2023 17:40
Til: Andrea Aime <andrea.aime@…10949…>; Karsten Darré <KDA@…10083…>
Cc: geoserver-users@lists.sourceforge.net
Emne: Re: [Geoserver-users] Dynamic generated image url in SLD not working in 2.23.2




You don’t often get email from steve.ikeoka@…1196…. Learn why this is important


I looked at the example URL and it is getting blocked because of a “java.net.URISyntaxException: Illegal character in query”. The URL checking feature was modified to reject URLs that contain invalid characters to prevent them from bypassing the URL normalization and allowing access to arbitrary URL paths. A feature enhancement would be to modify the URL normalization to properly normalize the URL path even with invalid characters in the query and fragment.

If it is feasible to modify your image URLs, changing all of the “|” characters to the string “%7c” should allow it to pass the URL check although your image service will have to know to decode it.

Steve Ikeoka


From: Andrea Aime <andrea.aime@…10949…>
Sent: Friday, September 1, 2023 3:00 AM
To: Karsten Darré <KDA@…10084…>
Cc: geoserver-users@lists.sourceforge.net <geoserver-users@lists.sourceforge.net>
Subject: Re: [Geoserver-users] Dynamic generated image url in SLD not working in 2.23.2



[External: Use caution with links & attachments]

On Fri, Sep 1, 2023 at 11:34 AM Karsten Darré via Geoserver-users <geoserver-users@lists.sourceforge.net> wrote:



Do any of you have an idea of what has changed in 2.23.2?

New security check, described in the GeoServer 2.23.2 release announcement:

https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

and documented in detail here:

https://docs.geoserver.org/maintain/en/user/security/urlchecks.html

You’ll have to whitelist the host that generates the dynamic images

Cheers

Andrea

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail