Details

    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Fixed
    • Affects versions: 2.7.2
    • Fix versions: 2.6.5, 2.7.3, 2.8-beta
    • Components: WCS, WFS, WMS, WPS
    • Labels:
      None

      Description

      The GeoServer 2.7.2 security fix breaks POST requests in JBoss. The security fix only allows jar, http and https URLs for schemas but JBoss uses vfs URLs when reading jar files which GeoServer isn't allowing.

      WCS 1.0.0

      Caused by: org.xml.sax.SAXException: 
          Entity resolution disallowed for vfs:/var/jboss/workspace/BuildSvr_FNMOC/jboss/geoserver/deployments/geoserver.war/WEB-INF/lib/gt-xsd-wcs-13.2.jar/org/geotools/wcs/getCoverage.xsd
      
      

      WCS 1.1.1

      Caused by: org.xml.sax.SAXException: 
          Entity resolution disallowed for vfs:/var/jboss/workspace/BuildSvr_FNMOC/jboss/geoserver/deployments/geoserver.war/WEB-INF/lib/gt-xsd-wcs-13.2.jar/org/geotools/wcs/v1_1/wcsAll.xsd
      
      

      WPS 1.0.0

      Caused by: org.xml.sax.SAXException: 
          Entity resolution disallowed for vfs:/var/jboss/workspace/BuildSvr_FNMOC/jboss/geoserver/deployments/geoserver.war/WEB-INF/lib/gt-xsd-wps-13.2.jar/org/geotools/wps/wpsAll.xsdk
      
      

      ENVIRONMENT:

      RHEL 6.x
      Java 1.7.0_85-b15 (Oracle)
      JBoss 7.1.1 Final
      Geoserver 2.7.2
      Geoserver WPS plugin 2.7.2

      STEPS TO REPRODUCE:

      1. Start with Geoserver 2.7.2 running in Jboss 7.1.1 container.
      2. Copy the image file test_image.tif to the GEOSERVER_DATA_DIR.
      3. Copy the Geoserver WPS plugin (fnmoc-wps-test-1.0.0.jar) into
      <JBOSS_HOME>/standalone/deployments/geoserver.war/WEB-INF/lib directory.
      4. (Re)Start JBoss 7.1.1
      5. Create workspace 'test' in Geoserver 2.7.2.
      6. Create GeoTiff layer 'test_image' in Geoserver 2.7.2
      7. Verify that you can see the layer 'test:test_image' in Layer Previewer.
      8. To see the error run the following curl commands,

      curl -v -XPOST -d @wcs-post-1.0.0.xml -H 'Content-type:application/xml' http://localhost:8080/geoserver/wcs
      
      
      curl -v -XPOST -d @wcs-post-1.1.1.xml -H 'Content-type:application/xml' http://localhost:8080/geoserver/wcs
      
      
      curl -v -XPOST -d @test-wps-post-1.0.0.xml -H 'Content-type:application/xml' http://localhost:8080/geoserver/wps 
      
      

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                tbarsballe Torben Barsballe
                Reporter:
                tbarsballe Torben Barsballe
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: