Hey folks,

I added the ENTITY_RESOLUTION_ALLOWLIST option for a long time but nobody
was noticing very much! I am glad you found the setting and have been
working though how it works.

You are correct that it is used to mitigate the service side request
forgery attacks. Some software is very susceptible to being attacked (like
with headers and stuff) and we did not wish GeoServer to be the cause of
trouble.

Since it was enabled by default we made some more improvements for the
2.25.1 release which are mentioned in the release notes.

The use of ENTITY_RESOLUTION_ALLOWLIST=* would allow GeoServer to access
*any* http location. The External Entity setting security risk allows any
location on disk to be accessed (which is required for things like
application schema where you have your schema files in the data directory).

It is preferable to host your schema somewhere public, like maybe the
geoserver/www folder. And you can list additional locations in
the ENTITY_RESOLUTION_ALLOWLIST value.

Q: Did any of you find the documentation?

   -
   
https://docs.geoserver.org/latest/en/user/production/config.html#external-entities-resolution
   -
   
https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities


Q: The "null" thing was a surprise to me - it was when the external entity
was a DTD (and thus did not have a name). The error message assumed
everything would have a name and that the name would be a useful way to
tell what could not be found in your document.



--
Jody Garnett


On Jun 17, 2024 at 5:22:37 AM, Calliess Daniel Ing. <
daniel.calli...@stadt-salzburg.at> wrote:

> Hello Jean-Christophe,
>
>
>
> I just upgraded to V2.25.1 and the error is gone, so no more workaround is
> necessary.
>
>
>
> Regards
>
> Daniel
>
>
>
> *From:* Jean-Christophe Bastin <jcbas...@thelis.be>
> *Sent:* Dienstag, 23. April 2024 12:05
> *To:* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>;
> 'geoserver-users' <geoserver-users@lists.sourceforge.net>
> *Subject:* Re: [Geoserver-users] WMS broken after GeoServer Update
> (SAXException)
>
>
>
> Hello Daniel,
>
>
>
> Thank you very much for the details.
>
> As you advice, I changed my configuration to not check this global
> setting, and set the parameter ENTITY_RESOLUTION_ALLOWLIST=* in the web.xml
> of GeoServer.
>
> It looks like the error message is gone in this way.
>
>
>
> Regards,
>
>
>
> *Jean-Christophe*
>
>
>
> *De :* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>
> *Envoyé :* lundi 22 avril 2024 17:50
> *À :* Jean-Christophe Bastin <jcbas...@thelis.be>; 'geoserver-users' <
> geoserver-users@lists.sourceforge.net>
> *Objet :* RE: WMS broken after GeoServer Update (SAXException)
>
>
>
> Hello Jean-Christophe,
>
>
>
> when users upload XML documents to your server those files can contain
> links to other documents (f.e. for namespace or schema definitions). An
> attacker could send a document containing links to files on the server's
> disk and somehow cause the server to leak this information I think. Or
> include links to ressources on the internet that lead GeoServer to
> misbehave. More specific information might come from the GeoServer
> developers. See also
> https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities
> in the documenation.
>
>
>
> So I'm trying to avoid weakening the External Entity settings if possible.
> And also would suggest you use the "-DENTITY_RESOLUTION_ALLOWLIST=*"
> parameter (see
> https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities)
> for the moment because it only allows access to online ressources, not to
> local files on the server.
>
>
>
> Regards
>
> Daniel
>
>
>
>
>
> *From:* Jean-Christophe Bastin <jcbas...@thelis.be>
> *Sent:* Montag, 22. April 2024 16:41
> *To:* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>;
> 'geoserver-users' <geoserver-users@lists.sourceforge.net>
> *Subject:* RE: WMS broken after GeoServer Update (SAXException)
>
>
>
> Hello Daniel,
>
>
>
> I found a solution. I don’t know if this is the same behavior than your
> parameter DENTITY_RESOLUTION_ALLOWLIST=*.
>
> In Configuration, Global, you have “Unlimited resolution of XML external
> entities (security risk)” (this is translated from french, sorry if it’s
> not exactly the same words).
>
> After checked and applied changes, the error is gone when consulting
> layers.
>
> BUT, I see the “security risk” with this parameter, and I don’t know what
> is it exactly.
>
>
>
> If someone can explain what is it talking about, I’ll appreciate it :)
>
>
>
> Many thanks.
>
>
>
> *Jean-Christophe*
>
>
>
> *De :* Jean-Christophe Bastin
> *Envoyé :* lundi 22 avril 2024 16:13
> *À :* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>;
> 'geoserver-users' <geoserver-users@lists.sourceforge.net>
> *Objet :* RE: WMS broken after GeoServer Update (SAXException)
>
>
>
> Hello,
>
>
>
> I was about to write an equivalent message to the community for the same
> error.
>
> In my case, I’m updating from GeoServer 2.10.0 to 2.25.0. I had many
> issues that I was able to manage by myself. But the last issue (I hope) I
> see now is for any layer I want to preview, or access to show, I get also a
> service exception
> “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException:
> Entity resolution disallowed for null”.
>
>
>
> I’m really interested to have also some support on this point.
>
>
>
> Many thanks.
>
>
>
> *Jean-Christophe*
>
>
>
> *De :* Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at>
> *Envoyé :* lundi 22 avril 2024 15:00
> *À :* 'geoserver-users' <geoserver-users@lists.sourceforge.net>
> *Objet :* [Geoserver-users] WMS broken after GeoServer Update
> (SAXException)
>
>
>
> Hi,
>
>
>
> I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and
> now I can't preview WMS layers. The error message is:
> "java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException:
> Entity resolution disallowed for null". The same message is shown when I
> try to validate an SLD stylesheet. I copied the full stack trace to a file
> and attached it to this message. I also reverted back to the data dir
> included in the 2.25.0 release and can reproduce the error f.e. with the
> 'point' style.
>
>
>
> I now found out that when I'm starting GeoServer with the
> -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this
> parameter shouldn't be necessary because the styles are only containing
> references to www.opengis.net and www.w3.org which are in the default
> list of allowed domains for entity expansion according to the
> documentation
> <https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities>
> .
>
>
>
> The geoserver log shows a lot of "WARN   [geotools.xsd] - Sax parser
> property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit'
> not recognized.  Xerces version is incompatible." messages. Might there be
> a connection to the above issue?
>
>
>
> Am I doing something wrong?
>
>
>
> Thank you and best regards
> Daniel
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Reply via email to