Hi Folks,
So I've finally joined this one too.
I joined specifically because I have a security concern with regards to
input validation. First and foremost: I'm not a security expert or even
close but I have one or two of the basics down.
As a result of http://jira.codehaus.org/browse/GEOS-5556 - I've done some
checking of other inputs and it seems quite a lot don't have any input
validation.
The list of ones I've tested that gave bad results (a Java Error) so far:
http://wppgeog3:8082/geoserver/wfs?service=wfs&version=pies
java.util.IllegalFormatConversionException: d != java.lang.String d !=
java.lang.String
-----
The following three are based on:
http://wppgeog3:8082/geoserver/wfs?service=wfs&request=GetFeature&version=2
"typeName=" (blank typename):
java.lang.ArrayStoreException
at
org.eclipse.emf.common.util.BasicEList.assign(BasicEList.java:124)
-----
&propertyName=39292
java.lang.RuntimeException: java.io.IOException java.io.IOException null
ORA-00936: missing expression
-----
BBOX=pies,40.212597,-72.361859,41.512517,
java.lang.IllegalArgumentException: Bounding box coordinate 0 is not
parsable:pies Bounding box coordinate 0 is not parsable:pies
-----
This URL is basically just a copied one from demo requests for the
mathgetfeature. I just changed the layer.
http://wppgeog3:8082/geoserver/wfs?request=GetFeature&version=2&typeName=Test_DB:OS_CODEPOINT_WSHIRE&formatName=GML2&FILTER=%3Cogc:Filter%20xmlns:ogc=%22http://www.opengis.net/ogc%22%3E%3Cogc:PropertyIsGreaterThan%3E%3Cogc:Div%3E%3Cogc:PropertyName%3EMANUAL%3C/ogc:PropertyName%3E%3Cogc:PropertyName%3EWORKERS%3C/ogc:PropertyName%3E%3C/ogc:Div%3E%3Cogc:Literal%3E0.25%3C/ogc:Literal%3E%3C/ogc:PropertyIsGreaterThan%3E%3C/ogc:Filter%3E
java.lang.IllegalArgumentException: Property 'MANUAL' could not
be found in OS_CODEPOINT_WSHIRE Property 'MANUAL' could not be
found in OS_CODEPOINT_WSHIRE
---
change the above "manual" to -9999 and get:
java.lang.ClassCastException: java.lang.Double cannot be cast to
org.opengis.feature.type.AttributeDescriptor java.lang.Double cannot be
cast to org.opengis.feature.type.AttributeDescriptor
---------
Change "formatName" to anything (i.e. "CSV", "-999", "pies", "GML7") and it
gets ignored, no error.
-------
"&filter=bad"
org.xml.sax.SAXParseException: Content is not allowed in prolog. Content is
not allowed in prolog
------
&filter=%3Cogc:filter%20/%3E (I entered this as: "&filter=<ogc:filter />" )
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 Index: 0, Size: 0
That's with just 10-15 minutes of fiddling, but I think it conveys the
point. I've looked at the code for one or two of them (i.e. the count=0
one) and it does look like the point that's producing the error isn't a
validation point.
So what's the GeoServer policy on input validation?
Cheers,
Jonathan
This transmission is intended for the named addressee(s) only and may contain
sensitive or protectively marked material up to RESTRICTED and should be
handled accordingly. Unless you are the named addressee (or authorised to
receive it for the addressee) you may not copy or use it, or disclose it to
anyone else. If you have received this transmission in error please notify the
sender immediately. All email traffic sent to or from us, including without
limitation all GCSX traffic, may be subject to recording and/or monitoring in
accordance with relevant legislation.
------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
