-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I recently scanned a new Geoserver 2.4.2 installation with HP WebInspect and the application found cross-site and cross-frame scripting vulnerabilities in the Geoserver code. I'd like to report these so they can get fixed, but because of security policies (this is a US government site) I can't just send the WebInspect report to a mailing list.
The cross-site scripting vulnerability is in /geoserver/view/wms and the cross-frame vulnerability is in /geoserver/index.html. If someone will email me ([email protected]) with a direct contact email address, I will send them the full WebInspect scan report with the details of what the request and response were. Thanks, <MR> - ----------------------------------- Michael Raugh NOAA/NESDIS-HQ Sr. Systems Engineer On 12/24/2013 10:24 AM, [email protected] wrote: > Send Geoserver-devel mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/geoserver-devel or, via email, > send a message > with subject or body 'help' to [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific than "Re: > Contents of > Geoserver-devel digest..." > > > Today's Topics: > > 1. Re: PNG encoder comparison - complex stylings (Jonathan Moules) > > > ---------------------------------------------------------------------- > > Message: 1 Date: Tue, 24 Dec 2013 15:23:37 +0000 From: Jonathan Moules > <[email protected]> Subject: Re: [Geoserver-devel] PNG > encoder comparison > - complex stylings To: Andrea Aime <[email protected]> Cc: > Geoserver-devel > <[email protected]> Message-ID: > <CAA-xNcWFtVT+zeF3rxG9jgnzuS7KSxTRY=z8a3zxitntr--...@mail.gmail.com> > Content-Type: > text/plain; charset="us-ascii" > > Hi Andrea, Thanks for your investigations. I'm on Windows 64bit, so no native > Image I/O > here. I guess that means we should be equal (Geoserver 2.4.3 here) but > clearly yours is > much faster. In theory ours is somewhat optimised - we had Simone consult on > it and tell me > the stuff I'd missed. I agree the throughput is somewhat meaningless which is > why I'm using > ms averages. Also because that's how long the user will have to wait for > their response > which is more important to me than throughput. > > I chose that image size because that's the size of a single WMS request that > our > web-application makes for a 1280*1024 monitor (what many of our users have). > The idea of > the zoom threshold was to allow the different SLD's to take effect (though > it's only one > set with the Strategi stuff, albeit with a few scale-thresholded layers). > > ===== > > I've now been running these against our live systems too (normally that'd be > rather > irresponsible, but it's Xmas eve and no-one is in;' probably the only day I > can do this in > the year!). Our live server, which has a few less cores (12), and three > load-balanced > instances is definitely much better able to handle 10 threads - I get a total > average of > 3316ms (2.9r/s) in that scenario (Oracle layers, PNG encoder). That uses 100% > of the CPU > (~30% per instance). The optimum seems to be about 8 threads; any more than > that and the > response time plummets. > > However it's just as slow for 1 thread as the test system was. > > Also, I'm new to Jmeter so don't know what the best plans are yet. This is a > hybrid of > Christians and what the internet presented and what seemed to work. > > ---- > > In relation to your using PNGJ test - Your total average response times are > about 1/3rd > mine (2.5s compared to my 7.5s for the same thing), while using a heck of a > lot less CPU > power too. So either I have something really badly configured on my install, > or Windows is > even more crippled than I thought. > > Best, Jonathan > > > On 24 December 2013 14:55, Andrea Aime <[email protected]> wrote: > >> On Tue, Dec 24, 2013 at 2:43 PM, Jonathan Moules < >> [email protected]> >> wrote: >> >>> Hi Andrea, I've pre-packaged everything for you including the data. >>> Layergroups, SLD's >>> (mine are completely different - no idea what theirs look like), and >>> workspaces. I >>> think you'll just need to change where the stores are looking to wherever >>> you put the >>> shapefiles, but you're going to know better than me. >>> >>> z_test is the layergroup I'm testing against (it contains the EU basemap >>> and strategi >>> layergroups). >>> >>> http://maps.warwickshire.gov.uk/misc/strategi.zip - also includes the JMX. >>> >> >> Thanks. I made a very quick test with what I had handy, a GeoServer 2.4.x, >> Oracle JDK 7 >> (which has known scalability issues) and not even the Image/IO native PNG >> encoder enabled >> (so, I'm using the slowest PNG encoder in the lot) with a core i7 820 (three >> years old >> CPU) I get a throughput that is 2.4 times faster than yours (without even >> trying... but >> I'm under Linux 64 bits, that might be a factor): >> >> [image: Inline image 2] >> >> CPU consumption was around 60%. >> >> Btw, This JMeter setup is a bit different that what I'm used to, the various >> zoom levels >> are not run sequentially, in isolation, but all together at the same time, >> using 10 >> threads, so the real throughput is the TOTAL one, 3.4r/s, the throughput >> value associated >> to the various zoom levels is apparently meaningless? The size of the output >> image is >> also a factor, it's "big" compared to the sizes that were used for the >> FOSS4G benchmarks, >> at 1272x1261 it is roughly 4 times bigger than the average one used in last >> public >> benchmarking effort. >> >> When I have time I'll run some tests with OpenJDK and PNGJ and report back, >> and also have >> a look at profiles, to see if there is anything obvious to optimize. >> >> Cheers Andrea >> >> -- *== GeoSolutions will be closed for seasonal holidays from 23/12/2013 to >> 06/01/2014 >> ==* >> >> Ing. Andrea Aime @geowolf Technical Lead >> >> GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy >> phone: +39 0584 >> 962313 fax: +39 0584 1660272 mob: +39 339 8844549 >> >> http://www.geo-solutions.it http://twitter.com/geosolutions_it >> >> ------------------------------------------------------- >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSuajRAAoJEKqHKCLpKNmo0rMIALzfREmOcnN6fap7juSZ2dkR 0uw4jrFp9/qh7a2n2pglN3S86eAWtxCEUE/E/VaE4znAT1dr71Za4WJ76VMFq9EG jPgrWywT0UQylaIQUtHJ71Tl2ss92MhpOPifKvzoblvc4SF1e2l7Gz0/YsI79HVX xu0F/u0MXCe77KK3frqOzprAinvwC2KcUoIv92Cq9r3c++nf7QGkqgt7YFjGgB4t 5dn2krDk47siCRjBWxRqzyzof/eDVqebxLC6PSxI6vZ0tBLV7HO47vCnUUzwcbOc 7m6QfAHOG/XVluaymooAV9xlPHDQcNX735mbgSvJ9nbrniYyixTdTbiVYVdXxGE= =YnOA -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
