Attending ------------ * Andrea Aime * Jukka Rahkonen * Torben Barsballe * Jody Garnett * Ian Turton
Actions - short list security vulnerabilities for bug stomp - Torben: Look into gs-scripting build Actions from last meeting: ---------------------------------- - IanT: email release anouncements to deve/users/discuss/etc... it is a major release (done) - Jody: Foss4G videos/roundup Agenda ---------- - release 2.9.3 - bug stomp - security vulnerabilities part 3 - layer group security introduction - fast lookup of SRS codes Release 2.9.3 ------------------- Jody volounteered, want to do this tomorrow, prior to bug stomp. Going to stick with release schedule, even if it means we need an extra release for security vulnerabilities (see next agenda topic). Does anyone have anything they are expecting in 2.9.3? - not really - bug discussion Bug stomp -------------- Blog post: http://blog.geoserver.org/2016/11/09/bug-stomp/ Hoping for a good turn out. Would like to do a better job "on boarding" new volunteers. Ideas? Friction now: * Hard choosing bugs that are easy * No such thing as an easy bug fix :) * Initially help by reproducing issues? * Tends to be easier to start at geotools with units tests etc... * Pick topic, and ask on gitter * Note: Get setup on gitter / dev env the day before. Andrea running some stats, not including old features that did not get fundings. If we keep this pace we are almost "keeping up" with newly reported bugs: - How to keep up? Need more action ... - Idea: get more help to confirm bugs are reproducable - Idea: target docs on common missunderstandings (mostly the rest api, native extensions in geoserver, image mosaic) security vulnerabilities part 3 -------------------------------------- https://osgeo-org.atlassian.net/projects/GEOS/issues/GEOS-7848: Open proxy vulnerability a) rewrite the demo page? Client side requets - this is a big time commitments (for someone that does not do javascript normally) - need proficient javascript development b) remove the demo page? Replace with request builders for WMS, WFS? - these may be using the same servlet? Sigh... c) make a config option to disable the request servlet? d) How about making it a "non open" request servlet? - limit it to localhost/geoserver? that could work ... - lets give that a go... The class in question is named TestWfsPost.java https://osgeo-org.atlassian.net/projects/GEOS/issues/GEOS-7849: Session fixation vulnerability - Wicket may have a setting for this? - solution: call replaceSession() during login... https://osgeo-org.atlassian.net/projects/GEOS/issues/GEOS-7850: XML injection vulnerability - surprised this was not picked up in last round of fixes - solution - escape error response layer group security introduction ------------------------------------------ Pending GSIP, this kind of makes sense from user perspective. ResoruceAccessManager alread has the method, we just do not have the implementation. Also has a method to secure styles ... Syntax "issue": workspace.layer.access=rolelist (existing) workspace.lg.access=rolelist (sort of safe, wms will always pick the layer) workspace.*.access=rolelist lg.access=rolelist Conflict? - layer group and layer with same name (choose the layer, be consistent) - layer group and workspace with same name (annoying, the * marks workspace so no conflict) Semantic issue: data security is about data, normally does not care about protocol. But... layer groups exist only in WMS. - GetMap/GetFeatureInfo KVP Parser (exploded immediately, but goes though catalog) - GetCapabilities, to build the tree Container layer groups, they seem to contain layers, but only in WMS capabilites. So one workflow can get to the layers (via a Single LayerGroup), but not directly (since it is hidden by Named or Container layergroup security). - 1 basemap (single) (contains and b, nobody can see that) - 2 folder (container, security restriction) -- a -- b - 3 folder (container, allowed) -- b -- c User will see the following net capabiities document: - 1 basemap (single) (contains and b, nobody can see that) - 3 folder (container, allowed) -- b -- c Result: a is not accessible anymore in WMS, but it still shows up in either WFS or WCS Q: Is this understanable? A: yes, but documentation will need an example. Note: This only affects WMS, because WFS/WCS do not have layer group concept. Fast lookup of SRS codes ------------------------------------- Tested against a databsae of 4000 prj files, Restore GeoServer 1.7 functionality? - old fast path: based on id or crs name... never matches - new fast path: also makes a bunch of queries against the EPSG database (< 100ms) - slow path - load into memory and comapre Options: - Add to demo request page? - include prj->epsg lookup in layer resource page? Stats: Total codes in ESRI sampler: 4495 Match (<100ms): 3203 Failed to match: 76 (due to mercator 1sp/2sp, datum aliases conflicts) Code not really in the EPSG database: 1077 AXIS_DIRECTION: 20 (polar stereo, weird axis direction) EXCEPTION: 119 (lack the projection math) Total time spent in lookups: 81398 Average time per entry: 18 Discussion Python scripting community module - Currently missing from the build, relies on GeoScript lib which was last built against GT-13 - Possibly used in Boundless suite, - If the code can be found Ian has some time to pull it upto date and re-add to the build - If it can't be found, should we consider pulling/moving the docs OSGeo live - See email thread from Ben QGIS SLD Export - some (small) work expected in January - encourage communication/collaboration etc... -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. -------------------------------------------------------
------------------------------------------------------------------------------
_______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
