Support a new environment variable / servlet context parameter / Java system property GEOSERVER_REQUIRE_FILE that lists one or more files that must exist for GeoServer startup.
This change addresses a vulnerability: without this setting, if GeoServer restarts and its data directory is on inaccessible storage such as a temporarily inaccessible network drive, GeoServer will revert to its default data directory location. With either an empty or default data directory, GeoServer will have an insecure default password. This change prevents GeoServer startup if any of one or more specified files do not exist.
This change is backwards compatible: if this option is not used, the original behaviour is preserved.
Original report from Carl:
Could a member of the PSC please contact me privately for details?
I would prefer using Google hangouts: