I think this solution would be enough to close the security hole.
2013/7/24 Christian Mueller <[email protected]>
> Done, please review at
>
>
> https://github.com/mcrmcr/geoserver-1/commit/7306ceaf1a9fc98ba4c8b00d733ee7bf9bfce0aa
>
>
> 2013/7/24 Christian Mueller <[email protected]>
>
>> Yep, this is an argument. The URL path is
>>
>>
>> http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false
>>
>>
>> Some improvments:
>>
>> 1)
>> Changing the ant pattern to "/web/" instead of "/web/**"
>>
>> 2)
>> Check that the number of parameters is 2
>>
>> 3)
>> Check that
>> wicket:bookmarkablePage<http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false>
>> exists and has the value
>> :org.geoserver.web.GeoServerLoginPage<http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false>
>>
>> 4)
>> Check that error parameter exists and has the value false or true.
>>
>>
>>
>> I will check this and update the patch.
>>
>> Christian
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2013/7/24 Roar Brænden <[email protected]>
>>
>>> Hi,
>>>
>>> I look at your code and are a little bit concerned about the solution
>>> for Login-page itself.
>>> Wouldn't it be easy to include "org.geoserver.web.GeoServerLoginPage" as
>>> a part of the queryString in any url?
>>> In that way this hack would be a fairly decent security hole.
>>>
>>> Regards,
>>>
>>> Roar Brænden
>>>
>>>
>>> 2013/7/23 Christian Mueller <[email protected]>
>>>
>>>> The issue is here
>>>>
>>>> https://jira.codehaus.org/browse/GEOS-5921#comment-329355
>>>>
>>>> The patch is here
>>>>
>>>>
>>>> https://github.com/mcrmcr/geoserver-1/commit/7c3e9aaf7aa4a625099fcd6bd88199b5ed1c15e7
>>>>
>>>> The patch contains only a few lines, but it is a hack. As a
>>>> consequence, a review would be nice.
>>>>
>>>> @Justin, I think this class was invented by you.
>>>>
>>>> Thanks to reviewer :-)
>>>>
>>>>
>>>> --
>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>> OSS Open Source Solutions GmbH
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> See everything from the browser to the database with AppDynamics
>>>> Get end-to-end visibility with application monitoring from AppDynamics
>>>> Isolate bottlenecks and diagnose root cause in seconds.
>>>> Start your free trial of AppDynamics Pro today!
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Geoserver-devel mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>
>>>>
>>>
>>
>>
>> --
>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>> OSS Open Source Solutions GmbH
>>
>>
>
>
> --
> DI Christian Mueller MSc (GIS), MSc (IT-Security)
> OSS Open Source Solutions GmbH
>
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
