Opened 14 years ago

Last modified 12 years ago

#149 new defect

PDFPrint - printProxy security breach

Reported by: adube Owned by:
Priority: blocker Milestone: 1.8.0
Component: widgets Version:
Keywords: Cc:

Description

currently

In order to use the PDFPrint widget, you need to specify an alternative proxy file. This file is responsible of creating and processing the print requests.

issue

Unless I'm mistaken, the printProxy doesn't check if the layers specified inside the 'spec' parameter are authorized to access the according resources using the ACL. That would mean there is a security breach inside this widget.

solution

I see two solutions :

  • we fix this issue in order to let the widget live
  • we deprecate the widget and let the new upcoming print method take its place, see #147 and #148.

Before taking the final decision, I would like to add the following points (which all put weight towards the second solution) :

  • this widget has been developed inside GeoPrisma only
  • it currently supports 'wms' and 'tilecache' (only with wms access, i.e. no direct web cache access) services only. !The GeoExt ones support all of them.
  • you need to manually define every templates, scales and dpis available in the template, which makes it complicate to configure when the new upcoming MapFishPrintService would do that automatically.

Comments would be welcomed.

Change History (7)

comment:1 by adube, 13 years ago

#76 should also be considered.

comment:2 by adube, 13 years ago

#79 and #80 too.

comment:3 by adube, 13 years ago

Milestone: 1.0.0

comment:4 by adube, 13 years ago

Milestone: 1.0.01.2.0

No patch, bumping to 1.2.

comment:5 by adube, 12 years ago

Milestone: 1.2.01.4.0

No patch, moved to 1.4.

comment:6 by belug, 12 years ago

Milestone: 1.4.01.6.0

No patch, moved to 1.6.

comment:7 by adube, 12 years ago

Milestone: 1.6.01.8.0

No patch, moved to 1.8.

Note: See TracTickets for help on using tickets.