Hey folks, I added the ENTITY_RESOLUTION_ALLOWLIST option for a long time but nobody was noticing very much! I am glad you found the setting and have been working though how it works.
You are correct that it is used to mitigate the service side request forgery attacks. Some software is very susceptible to being attacked (like with headers and stuff) and we did not wish GeoServer to be the cause of trouble. Since it was enabled by default we made some more improvements for the 2.25.1 release which are mentioned in the release notes. The use of ENTITY_RESOLUTION_ALLOWLIST=* would allow GeoServer to access *any* http location. The External Entity setting security risk allows any location on disk to be accessed (which is required for things like application schema where you have your schema files in the data directory). It is preferable to host your schema somewhere public, like maybe the geoserver/www folder. And you can list additional locations in the ENTITY_RESOLUTION_ALLOWLIST value. Q: Did any of you find the documentation? - https://docs.geoserver.org/latest/en/user/production/config.html#external-entities-resolution - https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities Q: The "null" thing was a surprise to me - it was when the external entity was a DTD (and thus did not have a name). The error message assumed everything would have a name and that the name would be a useful way to tell what could not be found in your document. -- Jody Garnett On Jun 17, 2024 at 5:22:37 AM, Calliess Daniel Ing. < daniel.calli...@stadt-salzburg.at> wrote: > Hello Jean-Christophe, > > > > I just upgraded to V2.25.1 and the error is gone, so no more workaround is > necessary. > > > > Regards > > Daniel > > > > *From:* Jean-Christophe Bastin <jcbas...@thelis.be> > *Sent:* Dienstag, 23. April 2024 12:05 > *To:* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>; > 'geoserver-users' <geoserver-users@lists.sourceforge.net> > *Subject:* Re: [Geoserver-users] WMS broken after GeoServer Update > (SAXException) > > > > Hello Daniel, > > > > Thank you very much for the details. > > As you advice, I changed my configuration to not check this global > setting, and set the parameter ENTITY_RESOLUTION_ALLOWLIST=* in the web.xml > of GeoServer. > > It looks like the error message is gone in this way. > > > > Regards, > > > > *Jean-Christophe* > > > > *De :* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at> > *Envoyé :* lundi 22 avril 2024 17:50 > *À :* Jean-Christophe Bastin <jcbas...@thelis.be>; 'geoserver-users' < > geoserver-users@lists.sourceforge.net> > *Objet :* RE: WMS broken after GeoServer Update (SAXException) > > > > Hello Jean-Christophe, > > > > when users upload XML documents to your server those files can contain > links to other documents (f.e. for namespace or schema definitions). An > attacker could send a document containing links to files on the server's > disk and somehow cause the server to leak this information I think. Or > include links to ressources on the internet that lead GeoServer to > misbehave. More specific information might come from the GeoServer > developers. See also > https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities > in the documenation. > > > > So I'm trying to avoid weakening the External Entity settings if possible. > And also would suggest you use the "-DENTITY_RESOLUTION_ALLOWLIST=*" > parameter (see > https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) > for the moment because it only allows access to online ressources, not to > local files on the server. > > > > Regards > > Daniel > > > > > > *From:* Jean-Christophe Bastin <jcbas...@thelis.be> > *Sent:* Montag, 22. April 2024 16:41 > *To:* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>; > 'geoserver-users' <geoserver-users@lists.sourceforge.net> > *Subject:* RE: WMS broken after GeoServer Update (SAXException) > > > > Hello Daniel, > > > > I found a solution. I don’t know if this is the same behavior than your > parameter DENTITY_RESOLUTION_ALLOWLIST=*. > > In Configuration, Global, you have “Unlimited resolution of XML external > entities (security risk)” (this is translated from french, sorry if it’s > not exactly the same words). > > After checked and applied changes, the error is gone when consulting > layers. > > BUT, I see the “security risk” with this parameter, and I don’t know what > is it exactly. > > > > If someone can explain what is it talking about, I’ll appreciate it :) > > > > Many thanks. > > > > *Jean-Christophe* > > > > *De :* Jean-Christophe Bastin > *Envoyé :* lundi 22 avril 2024 16:13 > *À :* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>; > 'geoserver-users' <geoserver-users@lists.sourceforge.net> > *Objet :* RE: WMS broken after GeoServer Update (SAXException) > > > > Hello, > > > > I was about to write an equivalent message to the community for the same > error. > > In my case, I’m updating from GeoServer 2.10.0 to 2.25.0. I had many > issues that I was able to manage by myself. But the last issue (I hope) I > see now is for any layer I want to preview, or access to show, I get also a > service exception > “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: > Entity resolution disallowed for null”. > > > > I’m really interested to have also some support on this point. > > > > Many thanks. > > > > *Jean-Christophe* > > > > *De :* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at> > *Envoyé :* lundi 22 avril 2024 15:00 > *À :* 'geoserver-users' <geoserver-users@lists.sourceforge.net> > *Objet :* [Geoserver-users] WMS broken after GeoServer Update > (SAXException) > > > > Hi, > > > > I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and > now I can't preview WMS layers. The error message is: > "java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: > Entity resolution disallowed for null". The same message is shown when I > try to validate an SLD stylesheet. I copied the full stack trace to a file > and attached it to this message. I also reverted back to the data dir > included in the 2.25.0 release and can reproduce the error f.e. with the > 'point' style. > > > > I now found out that when I'm starting GeoServer with the > -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this > parameter shouldn't be necessary because the styles are only containing > references to www.opengis.net and www.w3.org which are in the default > list of allowed domains for entity expansion according to the > documentation > <https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities> > . > > > > The geoserver log shows a lot of "WARN [geotools.xsd] - Sax parser > property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' > not recognized. Xerces version is incompatible." messages. Might there be > a connection to the above issue? > > > > Am I doing something wrong? > > > > Thank you and best regards > Daniel > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
