Hello Jean-Christophe, when users upload XML documents to your server those files can contain links to other documents (f.e. for namespace or schema definitions). An attacker could send a document containing links to files on the server's disk and somehow cause the server to leak this information I think. Or include links to ressources on the internet that lead GeoServer to misbehave. More specific information might come from the GeoServer developers. See also https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities in the documenation.
So I'm trying to avoid weakening the External Entity settings if possible. And also would suggest you use the "-DENTITY_RESOLUTION_ALLOWLIST=*" parameter (see https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) for the moment because it only allows access to online ressources, not to local files on the server. Regards Daniel From: Jean-Christophe Bastin <jcbas...@thelis.be> Sent: Montag, 22. April 2024 16:41 To: Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>; 'geoserver-users' <geoserver-users@lists.sourceforge.net> Subject: RE: WMS broken after GeoServer Update (SAXException) Hello Daniel, I found a solution. I don't know if this is the same behavior than your parameter DENTITY_RESOLUTION_ALLOWLIST=*. In Configuration, Global, you have "Unlimited resolution of XML external entities (security risk)" (this is translated from french, sorry if it's not exactly the same words). After checked and applied changes, the error is gone when consulting layers. BUT, I see the "security risk" with this parameter, and I don't know what is it exactly. If someone can explain what is it talking about, I'll appreciate it :) Many thanks. Jean-Christophe De : Jean-Christophe Bastin Envoyé : lundi 22 avril 2024 16:13 À : Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at<mailto:daniel.calli...@stadt-salzburg.at>>; 'geoserver-users' <geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>> Objet : RE: WMS broken after GeoServer Update (SAXException) Hello, I was about to write an equivalent message to the community for the same error. In my case, I'm updating from GeoServer 2.10.0 to 2.25.0. I had many issues that I was able to manage by myself. But the last issue (I hope) I see now is for any layer I want to preview, or access to show, I get also a service exception "java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null". I'm really interested to have also some support on this point. Many thanks. Jean-Christophe De : Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at<mailto:daniel.calli...@stadt-salzburg.at>> Envoyé : lundi 22 avril 2024 15:00 À : 'geoserver-users' <geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>> Objet : [Geoserver-users] WMS broken after GeoServer Update (SAXException) Hi, I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can't preview WMS layers. The error message is: "java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null". The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the 'point' style. I now found out that when I'm starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn't be necessary because the styles are only containing references to www.opengis.net<http://www.opengis.net> and www.w3.org<http://www.w3.org> which are in the default list of allowed domains for entity expansion according to the documentation<https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities>. The geoserver log shows a lot of "WARN [geotools.xsd] - Sax parser property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' not recognized. Xerces version is incompatible." messages. Might there be a connection to the above issue? Am I doing something wrong? Thank you and best regards Daniel
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
