Aaron Sedgmen ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ac7ef90dd-9bd9-454d-bb56-01406fbfb902 ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiODAzYmM0YjljYzIwNDM3ODk2YTdjNjc3Yjk0OGU2OTciLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-10552?atlOrigin=eyJpIjoiODAzYmM0YjljYzIwNDM3ODk2YTdjNjc3Yjk0OGU2OTciLCJwIjoiaiJ9 ) GEOS-10552 ( https://osgeo-org.atlassian.net/browse/GEOS-10552?atlOrigin=eyJpIjoiODAzYmM0YjljYzIwNDM3ODk2YTdjNjc3Yjk0OGU2OTciLCJwIjoiaiJ9 ) Parameterised AWS keys in S3 blobstore being resolved to literals and written to config file ( https://osgeo-org.atlassian.net/browse/GEOS-10552?atlOrigin=eyJpIjoiODAzYmM0YjljYzIwNDM3ODk2YTdjNjc3Yjk0OGU2OTciLCJwIjoiaiJ9 ) Issue Type: Bug Affects Versions: 2.21.0 Assignee: Unassigned Components: GWC-S3 Created: 20/Jun/22 2:49 AM Environment: Windows / Linux GeoServer 2.21.0 Priority: Medium Reporter: Aaron Sedgmen ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ac7ef90dd-9bd9-454d-bb56-01406fbfb902 ) Parameterised AWS keys in an S3 blobstore are resolved to literals and written to the geowebcache.xml config file when, after initial creation, the blobstore is opened and saved in the GeoServer UI. This can result in secure AWS keys being inadvertently exposed, such as when the GeoServer data_dir is version controlled in a code repository, and requires care to be taken to manually reset the keys to parameterised values in the geowebcache.xml file. Same issue was occurring with Azure blobstores - https://osgeo-org.atlassian.net/browse/GEOS-9288. ( https://osgeo-org.atlassian.net/browse/GEOS-10552#add-comment?atlOrigin=eyJpIjoiODAzYmM0YjljYzIwNDM3ODk2YTdjNjc3Yjk0OGU2OTciLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-10552#add-comment?atlOrigin=eyJpIjoiODAzYmM0YjljYzIwNDM3ODk2YTdjNjc3Yjk0OGU2OTciLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100201- sha1:07cea57 )
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
