Hi all, apologies if this isn't the most appropriate place to discuss.
A customer ran a security scan against the GeoFence community module in
GeoServer and found 4 Medium priority vulnerabilities in the module,
related to potentially storing passwords in heap/memory. After looking at
the scan results, the findings were isolated to just
/src/community/geofence/src/main/java/org/geoserver/geoserver/auth
entication/filter/GeoFenceAuthFilter.java
Upon further investigation, I found that all of the findings were contained
inside 2 methods, both of which are private. The doAuth() method does not
appear to be called anywhere in the class, and the getBasicAuth() method is
only called from within the doAuth() method. I don't really know the
GeoFence module well, but it would seem that these 2 methods could simply
be removed from the code.
I have a PR here:
https://github.com/geoserver/geoserver/pull/2791
If I have overlooked something, I would appreciate any comments or feedback.
Many thanks,
Erik Merkle
Software Engineer | Boundless
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel