Uploaded image for project: 'GeoServer'
  1. GEOS-7673

Dynamic Dimension Plugin classes not whitelisted for XML parsing

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Low
    • Resolution: Fixed
    • Affects Version/s: 2.9.1
    • Fix Version/s: 2.10-beta
    • Component/s: Community modules
    • Labels:
      None

      Description

      Enabling dynamic dimensions for a layer and restarting geoserver results in the following error during startup:

      2016-08-05 09:39:27,060 ERROR [config.util] - Class org.geoserver.wms.dimension.DefaultValueConfiguration is not whitelisted for XML parsing. 
      This is done to prevent Remote Code Execution attacks, but it might be 
      you need this class to be authorized for GeoServer to actually work
      If you are a user, you can set a variable named GEOSERVER_XSTREAM_WHITELIST
        with a semicolon separated list of fully qualified names, or patterns
        to match several classes.The variable can be set as a system variable
        a enviromment variable, or a servlet context variable, just like 
        GEOSERVER_DATA_DIR.
        For example, in order to authorize the org.geoserver.Foo class, 
        plus any class in the org.geoserver.custom package, one could set
        a system variable: 
        -DGEOSERVER_XSTREAM_WHITELIST=org.geoserver.Foo;org.geoserver.custom.**
      If instead you are a developer, you can call allowTypes/allowTypeHierarchy against 
        the XStream used for serialization by rolling a custom 
        XStreamPersisterInitializer or customizing your XStreamServiceLoader.
      2016-08-05 09:39:27,061 WARN [org.geoserver] - Failed to load coverage 'bmng'
      com.thoughtworks.xstream.converters.ConversionException: Unauthorized class found, see logs for more details on how to handle it: org.geoserver.wms.dimension.DefaultValueConfiguration : Unauthorized class found, see logs for more details on how to handle it: org.geoserver.wms.dimension.DefaultValueConfiguration
      ---- Debugging information ----
      message             : Unauthorized class found, see logs for more details on how to handle it: org.geoserver.wms.dimension.DefaultValueConfiguration
      cause-exception     : org.geoserver.config.util.SecureXStream$ForbiddenClassExceptionEx
      cause-message       : Unauthorized class found, see logs for more details on how to handle it: org.geoserver.wms.dimension.DefaultValueConfiguration
      class               : java.util.ArrayList
      required-type       : java.util.ArrayList
      converter-type      : org.geoserver.config.util.XStreamPersister$ProxyCollectionConverter
      line number         : 71
      class[1]            : org.geoserver.wms.dimension.DefaultValueConfigurations
      converter-type[1]   : com.thoughtworks.xstream.converters.reflection.ReflectionConverter
      class[2]            : org.geoserver.catalog.MetadataMap
      converter-type[2]   : org.geoserver.config.util.XStreamPersister$MetadataMapConverter
      class[3]            : org.geoserver.catalog.impl.CoverageInfoImpl
      converter-type[3]   : org.geoserver.config.util.XStreamPersister$CoverageInfoConverter
      version             : 2.9.0
      -------------------------------
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:79)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:474)
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:406)
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:257)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
      	at org.geoserver.config.util.XStreamPersister$BreifMapConverter.populateMap(XStreamPersister.java:824)
      	at com.thoughtworks.xstream.converters.collections.MapConverter.unmarshal(MapConverter.java:87)
      	at org.geoserver.config.util.XStreamPersister$MetadataMapConverter.unmarshal(XStreamPersister.java:948)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:474)
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:406)
      	at org.geoserver.config.util.XStreamPersister$ResourceInfoConverter.doUnmarshal(XStreamPersister.java:1729)
      	at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:257)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)
      	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
      	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1185)
      	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1169)
      	at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1049)
      	at org.geoserver.config.util.XStreamPersister.load(XStreamPersister.java:597)
      	at org.geoserver.config.GeoServerLoader.depersist(GeoServerLoader.java:764)
      	at org.geoserver.config.GeoServerLoader.readCatalog(GeoServerLoader.java:423)
      	at org.geoserver.config.GeoServerLoader.readCatalog(GeoServerLoader.java:223)
      	at org.geoserver.config.DefaultGeoServerLoader.loadCatalog(DefaultGeoServerLoader.java:36)
      	at org.geoserver.config.ReadOnlyGeoServerLoader.loadCatalog(ReadOnlyGeoServerLoader.java:54)
      	at org.geoserver.config.GeoServerLoader.postProcessBeforeInitialization(GeoServerLoader.java:109)
      	at org.geoserver.config.GeoServerLoaderProxy.postProcessBeforeInitialization(GeoServerLoaderProxy.java:59)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:408)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1570)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:545)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
      	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
      	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
      	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
      	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
      	at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
      	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1143)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1046)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:510)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
      	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
      	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:296)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
      	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
      	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
      	at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
      	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1143)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1046)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:510)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
      	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
      	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
      	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
      	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
      	at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
      	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1143)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1046)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:510)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
      	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
      	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
      	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
      	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
      	at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
      	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1143)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1046)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:510)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
      	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
      	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
      	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:772)
      	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:839)
      	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:538)
      	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:444)
      	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:326)
      	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:107)
      	at org.geoserver.platform.GeoServerContextLoaderListener.contextInitialized(GeoServerContextLoaderListener.java:23)
      	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4842)
      	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5303)
      	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
      	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
      	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
      	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
      	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)
      	at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: org.geoserver.config.util.SecureXStream$ForbiddenClassExceptionEx: Unauthorized class found, see logs for more details on how to handle it: org.geoserver.wms.dimension.DefaultValueConfiguration
      	at org.geoserver.config.util.SecureXStream$DetailedSecurityExceptionWrapper.realClass(SecureXStream.java:175)
      	at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:30)
      	at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
      	at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
      	at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:70)
      	at com.thoughtworks.xstream.converters.collections.CollectionConverter.addCurrentElementToCollection(CollectionConverter.java:98)
      	at com.thoughtworks.xstream.converters.collections.CollectionConverter.populateCollection(CollectionConverter.java:91)
      	at com.thoughtworks.xstream.converters.collections.CollectionConverter.populateCollection(CollectionConverter.java:85)
      	at com.thoughtworks.xstream.converters.collections.CollectionConverter.unmarshal(CollectionConverter.java:80)
      	at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
      	... 110 more
      Caused by: com.thoughtworks.xstream.security.ForbiddenClassException: org.geoserver.wms.dimension.DefaultValueConfiguration
      	at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
      	at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
      	at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:30)
      	at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:30)
      	at org.geoserver.config.util.SecureXStream$DetailedSecurityExceptionWrapper.realClass(SecureXStream.java:150)
      	... 119 more
      

      This can be fixed by adding the following classes in DynamicDefaultXStreamInitializer.java:27:

              xs.allowTypeHierarchy(org.geoserver.wms.dimension.DefaultValueConfiguration.class);
              xs.allowTypeHierarchy(org.geoserver.wms.dimension.DefaultValueConfigurations.class);
      

      I am trying to prepare a pull request.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              torstenh Torsten
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: