You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@lucene.apache.org by is...@apache.org on 2018/05/06 17:45:13 UTC

[1/2] lucene-solr:branch_7_3: SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

Repository: lucene-solr
Updated Branches:
  refs/heads/branch_7_3 7b74345ed -> ae0705edb


SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing


Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/6c4e45e2
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/6c4e45e2
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/6c4e45e2

Branch: refs/heads/branch_7_3
Commit: 6c4e45e28494d4d4d04fb89852d18c86fa3d5f84
Parents: 7b74345
Author: Uwe Schindler <us...@apache.org>
Authored: Sun May 6 14:21:34 2018 +0200
Committer: Ishan Chattopadhyaya <is...@apache.org>
Committed: Sun May 6 23:13:43 2018 +0530

----------------------------------------------------------------------
 solr/CHANGES.txt                                 |  6 +++++-
 .../org/apache/solr/util/SystemIdResolver.java   | 14 ++++----------
 .../apache/solr/util/TestSystemIdResolver.java   | 19 +++++++++++++++++--
 3 files changed, 26 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/CHANGES.txt
----------------------------------------------------------------------
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 87c999d..bb908d4 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -36,7 +36,8 @@ Bug Fixes
 
 * SOLR-12256: Fixed some eventual-consistency issues with collection aliases by using ZooKeeper.sync(). (David Smiley)
 
-* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down state (Cao Manh Dat)
+* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down 
+  state (Cao Manh Dat)
 
 * SOLR-12146: LIR should skip deleted replicas (Cao Manh Dat)
 
@@ -50,6 +51,9 @@ Bug Fixes
 
 * SOLR-12202: Fix errors in solr-exporter.cmd. (Minoru Osuka via koji)
 
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 ==================  7.3.0 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java b/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
index 6fda14f..c208520 100644
--- a/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
+++ b/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
@@ -16,9 +16,6 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
@@ -26,7 +23,6 @@ import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@ import javax.xml.stream.XMLStreamException;
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
 

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
index 7980a59..4c2677d 100644
--- a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
+++ b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
@@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public class TestSystemIdResolver extends LuceneTestCase {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }

[2/2] lucene-solr:branch_7_3: SOLR-12316: Fix test to work on linux and test also windows in a better way

Posted by is...@apache.org.

SOLR-12316: Fix test to work on linux and test also windows in a better way


Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/ae0705ed
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/ae0705ed
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/ae0705ed

Branch: refs/heads/branch_7_3
Commit: ae0705edb59eaa567fe13ed3a222fdadc7153680
Parents: 6c4e45e
Author: Uwe Schindler <us...@apache.org>
Authored: Sun May 6 15:53:07 2018 +0200
Committer: Ishan Chattopadhyaya <is...@apache.org>
Committed: Sun May 6 23:13:48 2018 +0530

----------------------------------------------------------------------
 .../apache/solr/util/TestSystemIdResolver.java  | 30 +++++++++++++-------
 1 file changed, 19 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/ae0705ed/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
index 4c2677d..f87eeb4 100644
--- a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
+++ b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
@@ -19,6 +19,7 @@ package org.apache.solr.util;
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Path;
+import java.util.Arrays;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.lucene.analysis.util.ResourceLoader;
@@ -29,11 +30,6 @@ import org.xml.sax.InputSource;
 
 public class TestSystemIdResolver extends LuceneTestCase {
   
-  public void setUp() throws Exception {
-    super.setUp();
-    System.setProperty("solr.allow.unsafe.resourceloading", "true");
-  }
-
   public void tearDown() throws Exception {
     System.clearProperty("solr.allow.unsafe.resourceloading");
     super.tearDown();
@@ -74,8 +70,6 @@ public class TestSystemIdResolver extends LuceneTestCase {
       "solrres:/org/apache/solr/util/RTimer.class", "TestSystemIdResolver.class");
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/collection1/conf/schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/collection1/conf/solrconfig.xml"), "schema.xml");
-    assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
-      SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
     // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
     IOException ioe = expectThrows(IOException.class, () -> {
@@ -89,10 +83,24 @@ public class TestSystemIdResolver extends LuceneTestCase {
     assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
     
     // check that we can't escape with absolute file paths:
-    ioe = expectThrows(IOException.class, () -> {
-      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
-    });
-    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
+    for (String path : Arrays.asList("/etc/passwd", "/windows/notepad.exe")) {
+      ioe = expectThrows(IOException.class, () -> {
+        resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", path);
+      });
+      assertTrue(ioe.getMessage().startsWith("Can't find resource")
+          || ioe.getMessage().contains("is outside resource loader dir"));
+    }
+  }
+
+  public void testUnsafeResolving() throws Exception {
+    System.setProperty("solr.allow.unsafe.resourceloading", "true");
+    
+    final Path testHome = SolrTestCaseJ4.getFile("solr/collection1").getParentFile().toPath();
+    final ResourceLoader loader = new SolrResourceLoader(testHome.resolve("collection1"), this.getClass().getClassLoader());
+    final SystemIdResolver resolver = new SystemIdResolver(loader);
+    
+    assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
+      SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");    
   }
 
 }