Ian Turton ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A8d264a2b-8be0-40de-8b94-9442d49c4f6f ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiODFkMWQ1N2VlZGQ0NDA5Y2E0YzVmNjM4NjYxMjQxNzciLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-10392?atlOrigin=eyJpIjoiODFkMWQ1N2VlZGQ0NDA5Y2E0YzVmNjM4NjYxMjQxNzciLCJwIjoiaiJ9 ) GEOS-10392 ( https://osgeo-org.atlassian.net/browse/GEOS-10392?atlOrigin=eyJpIjoiODFkMWQ1N2VlZGQ0NDA5Y2E0YzVmNjM4NjYxMjQxNzciLCJwIjoiaiJ9 ) Sending the contents of a tiff file to an "external.geotiff" endpoint in the REST API will crash GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS-10392?atlOrigin=eyJpIjoiODFkMWQ1N2VlZGQ0NDA5Y2E0YzVmNjM4NjYxMjQxNzciLCJwIjoiaiJ9 ) Issue Type: Bug Affects Versions: 2.20.2 Assignee: Unassigned Components: REST Created: 16/Feb/22 6:11 PM Priority: Medium Reporter: Ian Turton ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A8d264a2b-8be0-40de-8b94-9442d49c4f6f ) If while creating a coverage store via REST using a remote file location (and you happen to be on the same machine) if you leave the @ sign in your CURL commandline, GeoServer receives the content of the tif as the URL location of the file and attempts to use it with out any checking. This causes what looks like a buffer overflow and kills the server. A very carefully constructed tif file could cause a security problem (in theory) and it does DOS the machine even if unintentionally. It would be good if we carried out some basic checks before blindly changing it into a URL. ( https://osgeo-org.atlassian.net/browse/GEOS-10392#add-comment?atlOrigin=eyJpIjoiODFkMWQ1N2VlZGQ0NDA5Y2E0YzVmNjM4NjYxMjQxNzciLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-10392#add-comment?atlOrigin=eyJpIjoiODFkMWQ1N2VlZGQ0NDA5Y2E0YzVmNjM4NjYxMjQxNzciLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100191- sha1:831671b )
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
