subject:"Re\: \[Geotools\-gt2\-users\] GeoTools 15.2 released"

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Jody Garnett

You are welcome to add one, the Hint DISABLE_EXTERNAL_ENTITIES is listed in
the javadoc for DocumentFactory linked above (and there are example of use
in the test cases).

Another approach is to look at the source code for
PreventLocalEntityResolver and make one that is even more restrictive.

Keep in mind that this is for one of our earlier XML parser which is now
pretty much only used by gt-wms. I already feel a bit uncomfortable
changing the default to use PreventLocalEntityResolver.

--
Jody Garnett

On 16 October 2016 at 16:33, Ben Caradoc-Davies  wrote:

> Jody,
>
> do we have an example of how to use Hints to prevent remote external
> entity resolution? This is another type of XXE vulnerability. Some users
> may wish to parse untrusted XML documents without the risk of, for example,
> triggering malicious REST calls against their internal network.
>
> Kind regards,
> Ben.
>
>
> On 17/10/16 07:53, Jody Garnett wrote:
>
>> Ben we prevent resolving to local files by default, but we so resolve to
>> external ones.
>> On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies 
>> wrote:
>>
>> Indeed, and thanks for the detailed docs.
>>>
>>> There are situations where XML external entity resolution is necessary;
>>> users must consider the vulnerabilities inherent in resolving XML
>>> external entities in untrusted documents. Disabling external entity
>>> resolution is a safe default.
>>>
>>> Kind regards,
>>> Ben.
>>>
>>> On 16/10/16 11:27, Jody Garnett wrote:
>>>
 Fair correction ben, but we do instructions for turning the security
 vulnerability back on :)

>>>
>>> --
>>> Ben Caradoc-Davies 
>>> Director
>>> Transient Software Limited 
>>> New Zealand
>>>
>>>
> --
> Ben Caradoc-Davies 
> Director
> Transient Software Limited 
> New Zealand
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Ben Caradoc-Davies

Jody,

do we have an example of how to use Hints to prevent remote external 
entity resolution? This is another type of XXE vulnerability. Some users 
may wish to parse untrusted XML documents without the risk of, for 
example, triggering malicious REST calls against their internal network.

Kind regards,
Ben.

On 17/10/16 07:53, Jody Garnett wrote:
> Ben we prevent resolving to local files by default, but we so resolve to
> external ones.
> On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies  wrote:
>
>> Indeed, and thanks for the detailed docs.
>>
>> There are situations where XML external entity resolution is necessary;
>> users must consider the vulnerabilities inherent in resolving XML
>> external entities in untrusted documents. Disabling external entity
>> resolution is a safe default.
>>
>> Kind regards,
>> Ben.
>>
>> On 16/10/16 11:27, Jody Garnett wrote:
>>> Fair correction ben, but we do instructions for turning the security
>>> vulnerability back on :)
>>
>> --
>> Ben Caradoc-Davies 
>> Director
>> Transient Software Limited 
>> New Zealand
>>

-- 
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Jody Garnett

Ben we prevent resolving to local files by default, but we so resolve to
external ones.
On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies  wrote:

> Indeed, and thanks for the detailed docs.
>
> There are situations where XML external entity resolution is necessary;
> users must consider the vulnerabilities inherent in resolving XML
> external entities in untrusted documents. Disabling external entity
> resolution is a safe default.
>
> Kind regards,
> Ben.
>
> On 16/10/16 11:27, Jody Garnett wrote:
> > Fair correction ben, but we do instructions for turning the security
> > vulnerability back on :)
>
> --
> Ben Caradoc-Davies 
> Director
> Transient Software Limited 
> New Zealand
>
-- 
--
Jody Garnett
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-15 Thread Ben Caradoc-Davies

Indeed, and thanks for the detailed docs.

There are situations where XML external entity resolution is necessary; 
users must consider the vulnerabilities inherent in resolving XML 
external entities in untrusted documents. Disabling external entity 
resolution is a safe default.

Kind regards,
Ben.

On 16/10/16 11:27, Jody Garnett wrote:
> Fair correction ben, but we do instructions for turning the security
> vulnerability back on :)

-- 
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-15 Thread Jody Garnett

Fair correction ben, but we do instructions for turning the security
vulnerability back on :)

--
Jody Garnett

On 15 October 2016 at 17:23, Ben Caradoc-Davies  wrote:

> This release includes a *fix* for a security vulnerability, I think.  ;-)
>
> Kind regards,
> Ben.
>
> On 16/10/16 11:14, Jody Garnett wrote:
>
>> As noted this release includes a security vulnerability, the user guide
>> link is
>> http://docs.geotools.org/latest/userguide/library/metadata/
>> geotools.html#xml
>>
>>
>> New hints are available for use with DocumentFactory
>> > DocumentFactory.html>
>>  and the WebMapServer
>> > wms/WebMapServer.html#WebMapServer-java.net.URL-org.geotools
>> .data.ows.HTTPClient-java.util.Map->
>> client.
>> The key point is the use of a PreventLocalEntityResolver *by default* -
>> this represents a change in functionality that may affect your
>> application.
>>
>> If you need to restore "the way things were" use:
>>
>> *Hints.putSystemDefault(Hints.ENTITY_RESOLVER,
>> NullEntityResolver.INSTANCE);*
>>
>>
>> The documentation on Hints
>> > geotools.html#hints>
>> has
>> also been updated with an example of system property bindings for this
>> setting (-Dorg.xml.sax.EntityResolver=org.geotools.xml.NullEntityRes
>> olver)
>> to be used if you are working in an environment where you do not control
>> application startup and initialization.
>>
>> --
>> Jody Garnett
>>
>> On 15 October 2016 at 16:55, Jody Garnett  wrote:
>>
>> The GeoTools team is pleased to announce GeoTools 15.2.
>>>
>>>- geotools-15.2-bin.zip
>>>>> 2015%20Releases/15.2/geotools-15.2-bin.zip/download>
>>>- geotools-15.2-doc.zip
>>>>> 2015%20Releases/15.2/geotools-15.2-doc.zip/download>
>>>- geotools-15.2-userguide.zip
>>>>> 2015%20Releases/15.2/geotools-15.2-userguide.zip/download>
>>>- geotools-15.2-project.zip
>>>>> 2015%20Releases/15.2/geotools-15.2-project.zip/download>
>>>
>>> This release is also available from our Maven repository
>>> . This release is made in
>>> conjunction with GeoWebCache 1.9.2 and GeoServer 2.9.2. We would like to
>>> thank those who have contributed fixes and features to this release.
>>>
>>> GeoTools 15.2 is the latest stable release of the 15.x series and is
>>> recommended for all new projects.
>>>
>>> Security considerations:
>>>
>>>- The library now defaults to using PreventLocalEntityResolver for
>>>improved security. For more details (and how to disable this behavior)
>>>please see the GeoTools user guide
>>>>> /geotools.html#xml>
>>>.
>>>
>>> Features and Improvements:
>>>
>>>- Styling improvements include support for SE 1.1 external marks (with
>>>mark index)
>>>- Parsing hints can now be provided for WMS and WFS clients (entity
>>>resolver hint and and DTD disabling hint provided).
>>>- Overview policy parameter now available for ImageMosaic.
>>>- Support for integrated water column climatological time in NetCDF
>>>files
>>>- ImagePyramid support for multiple coverages
>>>
>>>
>>>
>>>
>>>
>>> Bug Fixes:
>>>
>>>- SLD graphics now correctly handle mix of mark and external graphic
>>>choosing the first one supported.
>>>- External marks with mark index fixes for both copying and SE 1.1
>>>parsing.
>>>
>>> For more information please see the release notes (15.2
>>> >> jectId=10001=13600>
>>>  | 15.1
>>> >> sion=13000=Text=10001>
>>>  | 15.0
>>> >> sion=13002==10001=Create_
>>> token=BMGO-EVM2-SZYH-VJUH%7C60a562a29d3c23854fbe594a81086dd4
>>> 338711c1%7Clout>
>>>  | RC1
>>> >> sion=12900==10001=Create_
>>> token=BMGO-EVM2-SZYH-VJUH%7C3d37bc9c7749ef20bde1d4b83ac230c9
>>> 5ac1efc3%7Clout>
>>>  | Beta 2
>>> >> sion=12601==10001=Create_
>>> token=BMGO-EVM2-SZYH-VJUH%7C3d37bc9c7749ef20bde1d4b83ac230c9
>>> 5ac1efc3%7Clout>
>>>  | Beta 1
>>> >> sion=12101==10001=Create_
>>> token=BMGO-EVM2-SZYH-VJUH%7C3d37bc9c7749ef20bde1d4b83ac230c9
>>> 5ac1efc3%7Clout>
>>>  | M0
>>> >> sion=11402==10001=Create_
>>>

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-15 Thread Ben Caradoc-Davies

This release includes a *fix* for a security vulnerability, I think.  ;-)

Kind regards,
Ben.

On 16/10/16 11:14, Jody Garnett wrote:
> As noted this release includes a security vulnerability, the user guide
> link is
> http://docs.geotools.org/latest/userguide/library/metadata/geotools.html#xml
>
>
> New hints are available for use with DocumentFactory
> 
>  and the WebMapServer
> 
> client.
> The key point is the use of a PreventLocalEntityResolver *by default* -
> this represents a change in functionality that may affect your application.
>
> If you need to restore "the way things were" use:
>
> *Hints.putSystemDefault(Hints.ENTITY_RESOLVER,
> NullEntityResolver.INSTANCE);*
>
>
> The documentation on Hints
> 
> has
> also been updated with an example of system property bindings for this
> setting (-Dorg.xml.sax.EntityResolver=org.geotools.xml.NullEntityResolver)
> to be used if you are working in an environment where you do not control
> application startup and initialization.
>
> --
> Jody Garnett
>
> On 15 October 2016 at 16:55, Jody Garnett  wrote:
>
>> The GeoTools team is pleased to announce GeoTools 15.2.
>>
>>- geotools-15.2-bin.zip
>>
>> 
>>- geotools-15.2-doc.zip
>>
>> 
>>- geotools-15.2-userguide.zip
>>
>> 
>>- geotools-15.2-project.zip
>>
>> 
>>
>> This release is also available from our Maven repository
>> . This release is made in
>> conjunction with GeoWebCache 1.9.2 and GeoServer 2.9.2. We would like to
>> thank those who have contributed fixes and features to this release.
>>
>> GeoTools 15.2 is the latest stable release of the 15.x series and is
>> recommended for all new projects.
>>
>> Security considerations:
>>
>>- The library now defaults to using PreventLocalEntityResolver for
>>improved security. For more details (and how to disable this behavior)
>>please see the GeoTools user guide
>>
>> 
>>.
>>
>> Features and Improvements:
>>
>>- Styling improvements include support for SE 1.1 external marks (with
>>mark index)
>>- Parsing hints can now be provided for WMS and WFS clients (entity
>>resolver hint and and DTD disabling hint provided).
>>- Overview policy parameter now available for ImageMosaic.
>>- Support for integrated water column climatological time in NetCDF
>>files
>>- ImagePyramid support for multiple coverages
>>
>>
>>
>>
>>
>> Bug Fixes:
>>
>>- SLD graphics now correctly handle mix of mark and external graphic
>>choosing the first one supported.
>>- External marks with mark index fixes for both copying and SE 1.1
>>parsing.
>>
>> For more information please see the release notes (15.2
>> 
>>  | 15.1
>> 
>>  | 15.0
>> 
>>  | RC1
>> 
>>  | Beta 2
>> 
>>  | Beta 1
>> 
>>  | M0
>> 
>>  ).
>>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> ___
> GeoTools-GT2-Users mailing list
> GeoTools-GT2-Users@lists.sourceforge.net

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-15 Thread Jody Garnett

As noted this release includes a security vulnerability, the user guide
link is
http://docs.geotools.org/latest/userguide/library/metadata/geotools.html#xml


New hints are available for use with DocumentFactory

 and the WebMapServer

client.
The key point is the use of a PreventLocalEntityResolver *by default* -
this represents a change in functionality that may affect your application.

If you need to restore "the way things were" use:

*Hints.putSystemDefault(Hints.ENTITY_RESOLVER,
NullEntityResolver.INSTANCE);*


The documentation on Hints

has
also been updated with an example of system property bindings for this
setting (-Dorg.xml.sax.EntityResolver=org.geotools.xml.NullEntityResolver)
to be used if you are working in an environment where you do not control
application startup and initialization.

--
Jody Garnett

On 15 October 2016 at 16:55, Jody Garnett  wrote:

> The GeoTools team is pleased to announce GeoTools 15.2.
>
>- geotools-15.2-bin.zip
>
> 
>- geotools-15.2-doc.zip
>
> 
>- geotools-15.2-userguide.zip
>
> 
>- geotools-15.2-project.zip
>
> 
>
> This release is also available from our Maven repository
> . This release is made in
> conjunction with GeoWebCache 1.9.2 and GeoServer 2.9.2. We would like to
> thank those who have contributed fixes and features to this release.
>
> GeoTools 15.2 is the latest stable release of the 15.x series and is
> recommended for all new projects.
>
> Security considerations:
>
>- The library now defaults to using PreventLocalEntityResolver for
>improved security. For more details (and how to disable this behavior)
>please see the GeoTools user guide
>
> 
>.
>
> Features and Improvements:
>
>- Styling improvements include support for SE 1.1 external marks (with
>mark index)
>- Parsing hints can now be provided for WMS and WFS clients (entity
>resolver hint and and DTD disabling hint provided).
>- Overview policy parameter now available for ImageMosaic.
>- Support for integrated water column climatological time in NetCDF
>files
>- ImagePyramid support for multiple coverages
>
>
>
>
>
> Bug Fixes:
>
>- SLD graphics now correctly handle mix of mark and external graphic
>choosing the first one supported.
>- External marks with mark index fixes for both copying and SE 1.1
>parsing.
>
> For more information please see the release notes (15.2
> 
>  | 15.1
> 
>  | 15.0
> 
>  | RC1
> 
>  | Beta 2
> 
>  | Beta 1
> 
>  | M0
> 
>  ).
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Re: [Geotools-gt2-users] GeoTools 15.2 released

Re: [Geotools-gt2-users] GeoTools 15.2 released

Re: [Geotools-gt2-users] GeoTools 15.2 released

Re: [Geotools-gt2-users] GeoTools 15.2 released

Re: [Geotools-gt2-users] GeoTools 15.2 released

Re: [Geotools-gt2-users] GeoTools 15.2 released

Re: [Geotools-gt2-users] GeoTools 15.2 released

7 matches

Site Navigation

Mail list logo

Footer information