You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-dev@lucene.apache.org by Chris Hostetter <ho...@fucit.org> on 2007/05/01 20:25:12 UTC

Re: svn commit: r533978 - /lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java

Ryan: this should probably be called out in the CHANGES.txt as a change in
behavior.

: Date: Tue, 01 May 2007 09:02:08 -0000
: From: ryan@apache.org
: Reply-To: solr-dev@lucene.apache.org
: To: solr-commits@lucene.apache.org
: Subject: svn commit: r533978 -
:     /lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilt
:     er.java
:
: Author: ryan
: Date: Tue May  1 02:02:08 2007
: New Revision: 533978
:
: URL: http://svn.apache.org/viewvc?view=rev&rev=533978
: Log:
: minor security fix.  This makes sure you can't call paths that start with "/" from /select
:
: This way, if you register a handler with "/path" and use path based authentication, you can not sneak into it using:
:
:  http://localhost:8983/solr/select/?qt=/update&stream.body=...
:
: Modified:
:     lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java
:
: Modified: lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java
: URL: http://svn.apache.org/viewvc/lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java?view=diff&rev=533978&r1=533977&r2=533978
: ==============================================================================
: --- lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java (original)
: +++ lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java Tue May  1 02:02:08 2007
: @@ -139,6 +139,9 @@
:            if( "/select".equals( path ) || "/select/".equals( path ) ) {
:              solrReq = parsers.parse( path, req );
:              String qt = solrReq.getParams().get( SolrParams.QT );
: +            if( qt != null && qt.startsWith( "/" ) ) {
: +              throw new SolrException( 400, "Invalid query type.  Do not use /select to access: "+qt);
: +            }
:              handler = core.getRequestHandler( qt );
:              if( handler == null ) {
:                throw new SolrException( 400, "unknown handler: "+qt);
:
:



-Hoss