Idea (feel free to indicate if it is out of scope). Environmental variables were introduced to control access for entity resolution: - It may be possible to replace these with the new URLChecker and simplify the application. Or; - show them as a URLChecker that cannot be disabled in the user interface (to make it clear they are in play)
Reference: https://docs.geoserver.org/2.19.x/en/user/production/config.html#production-config-external-entities -- Jody Garnett On Wed, Mar 22, 2023 at 10:44 AM Andrea Aime < andrea.a...@geosolutionsgroup.com> wrote: > Yep, makes sense, proposal updated. > > Cheers > Andrea > > On Wed, Mar 22, 2023 at 6:31 PM Jody Garnett <jody.garn...@gmail.com> > wrote: > >> Indeed if you are just intended to back from a regex; then rephrase the >> javadoc or make the method name more clear than "evaluate": >> >> /** >> * Provide implementation to evaluate location/URL/URI passed in >> string form >> * >> * @param location the subject of evaluation >> * @return true if the location is accepted, false otherwise >> */ >> boolean evaluate(String location); >> >> "otherwise" above indicates the location would not be accepted. >> >> To clarify intent: >> >> /** >> * Used to confirm location is allowed for use. >> * >> * URLChecker is used to confirm if a location is allowed for use, >> returning {@true} when they recognize a location as permitted. >> * Several URLChecker instances are expected to be available, as long >> as one URLChecker can confirm a location it is permitted for use. >> * >> * @param location Location expressed as URL, URI or path. >> * @return {@code true} indicates the URLChecker can confirm the >> location is allowed for use, {@code false} indicates the URLChecker is >> unable to confirm. >> */ >> boolean confirm(String location); >> >> -- >> Jody Garnett >> >> >> On Wed, Mar 22, 2023 at 10:07 AM Andrea Aime < >> andrea.a...@geosolutionsgroup.com> wrote: >> >>> Hi Jody, >>> while the suggestion seems to clarify things, it seems to me it's making >>> the implementation harder. >>> >>> With a regular expression based system, how do you distinguish BLOCK and >>> NO_OPINION (imagine we'd have different implementations, one based on >>> regexes for user configured sites, and another one for the well known >>> schema sites, such as schemas.opengis.org and xml.org, or a dynamic one >>> allowing a store to declare that the server it's talking to is safe). >>> >>> The idea here is that the URL is now allowed, unless >>> explicitly approved. All that we're looking for is a "yes". >>> The problem with the other state, is that it's really just "not yes", >>> without any extra useful semantic attached to it. >>> >>> Having a state like "BLOCK" would imply the implementation is based on a >>> black list instead (anything but not this one). >>> Do you have a use case for it? >>> >>> Cheers >>> Andrea >>> >>> >>> >>> On Wed, Mar 22, 2023 at 5:45 PM Jody Garnett <jody.garn...@gmail.com> >>> wrote: >>> >>>> The URL checker has a yes/no response - but is written as a yes/don’t >>>> care - since to access only one URL checker needs to say yes. >>>> >>>> To address feedback: >>>> - Adjust javadoc, or >>>> - Provide three states: ALLOW, BLOCK, NO_OPINION >>>> >>>> My preference is to return an Enum even if just two states are >>>> permitted to prevent any confusion. >>>> >>>> On Wed, Mar 22, 2023 at 9:15 AM Andrea Aime < >>>> andrea.a...@geosolutionsgroup.com> wrote: >>>> >>>>> HI all, >>>>> this is a revival of the old GSIP-189, a bit modernized, with a >>>>> smaller initial scope (that should help us get an implementation going >>>>> safeguarding some remote access functionality sooner rather than later). >>>>> >>>>> Please review, discuss, vote: >>>>> https://github.com/geoserver/geoserver/wiki/GSIP-218 >>>>> >>>>> Best regards >>>>> Andrea >>>>> >>>>> >>>>> == >>>>> GeoServer Professional Services from the experts! >>>>> >>>>> Visit http://bit.ly/gs-services-us for more information. >>>>> == >>>>> >>>>> Ing. Andrea Aime >>>>> @geowolf >>>>> Technical Lead >>>>> >>>>> GeoSolutions Group >>>>> phone: +39 0584 962313 >>>>> >>>>> fax: +39 0584 1660272 >>>>> >>>>> mob: +39 339 8844549 >>>>> >>>>> https://www.geosolutionsgroup.com/ >>>>> >>>>> http://twitter.com/geosolutions_it >>>>> >>>>> ------------------------------------------------------- >>>>> >>>>> Con riferimento alla normativa sul trattamento dei dati personali >>>>> (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati >>>>> “GDPR”), >>>>> si precisa che ogni circostanza inerente alla presente email (il suo >>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >>>>> >>>>> This email is intended only for the person or entity to which it is >>>>> addressed and may contain information that is privileged, confidential or >>>>> otherwise protected from disclosure. We remind that - as provided by >>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of >>>>> this >>>>> e-mail or the information herein by anyone other than the intended >>>>> recipient is prohibited. If you have received this email by mistake, >>>>> please >>>>> notify us immediately by telephone or e-mail >>>>> _______________________________________________ >>>>> GeoTools-Devel mailing list >>>>> geotools-de...@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/geotools-devel >>>>> >>>> -- >>>> -- >>>> Jody Garnett >>>> >>> >>> >>> -- >>> >>> Regards, >>> >>> Andrea Aime >>> >>> == >>> GeoServer Professional Services from the experts! >>> >>> Visit http://bit.ly/gs-services-us for more information. >>> == >>> >>> Ing. Andrea Aime >>> @geowolf >>> Technical Lead >>> >>> GeoSolutions Group >>> phone: +39 0584 962313 >>> >>> fax: +39 0584 1660272 >>> >>> mob: +39 339 8844549 >>> >>> https://www.geosolutionsgroup.com/ >>> >>> http://twitter.com/geosolutions_it >>> >>> ------------------------------------------------------- >>> >>> Con riferimento alla normativa sul trattamento dei dati personali (Reg. >>> UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>> precisa che ogni circostanza inerente alla presente email (il suo >>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >>> >>> This email is intended only for the person or entity to which it is >>> addressed and may contain information that is privileged, confidential or >>> otherwise protected from disclosure. We remind that - as provided by >>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >>> e-mail or the information herein by anyone other than the intended >>> recipient is prohibited. If you have received this email by mistake, please >>> notify us immediately by telephone or e-mail >>> >> > > -- > > Regards, > > Andrea Aime > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
