Re: [Geotools-devel] GEOT-5514 and DTD XEE attacks

Hi, Andrea (et al), Thanks for putting out these changes so quickly! I heard that this issue could be affecting WFS, WPS, and GWC - do you have any information on this? I see some changes in the PRs in WPS and WFS (but nothing in GWC). Or do these two PRs fix everything? Also, does this issue

Re: [Geotools-devel] GEOT-5514 and DTD XEE attacks

On Wed, Sep 21, 2016 at 10:56 AM, Andrea Aime wrote: > Turns out I got some time myself, I'm going to have a look at passing the > hints from the constructor > Pull requests available for review and merge: Master: - https://github.com/geotools/geotools/pull/1318 -

Re: [Geotools-devel] GEOT-5514 and DTD XEE attacks

On Wed, Sep 21, 2016 at 10:10 AM, Andrea Aime wrote: > On Wed, Sep 21, 2016 at 10:00 AM, Jody Garnett > wrote: > >> Thanks Andrea your words confirm my own research. >> >> Out of the alternatives I prefer the constructor hint. Once inside

Re: [Geotools-devel] GEOT-5514 and DTD XEE attacks

Thanks Andrea your words confirm my own research. Out of the alternatives I prefer the constructor hint. Once inside the WebMapService object it is easier to pass the hints to where they are needed. For the system hint approach, if you like that more, was focused on setting a an entity resolver.

Re: [Geotools-devel] gt 15.x/gwc 1.9.2/gs 2.9.x release delayed one more day due to a blocker

Hi, sad news, the blocker from yesterday was solved, but I found a new one (cannot update stores, GeoServer complains the store already exists) and realszed that the XEE vulnerability reported on WMS cascading has not yet been solved. Until both are fixed we won't be able to release 2.9.2. I have

Re: [Geotools-devel] GEOT-5514 and DTD XEE attacks

Hi Jody, yep, I've just confirmed that as-is, the code is pretty much useless and a XEE attack can be performed. The hints do not have a path to be passed down, as they originate here, and are hard-coded: