You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by is...@apache.org on 2018/05/06 17:45:13 UTC
[1/2] lucene-solr:branch_7_3: SOLR-12316: Do not allow to use
absolute URIs for including other files in solrconfig.xml and schema parsing
Repository: lucene-solr
Updated Branches:
refs/heads/branch_7_3 7b74345ed -> ae0705edb
SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing
Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/6c4e45e2
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/6c4e45e2
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/6c4e45e2
Branch: refs/heads/branch_7_3
Commit: 6c4e45e28494d4d4d04fb89852d18c86fa3d5f84
Parents: 7b74345
Author: Uwe Schindler <us...@apache.org>
Authored: Sun May 6 14:21:34 2018 +0200
Committer: Ishan Chattopadhyaya <is...@apache.org>
Committed: Sun May 6 23:13:43 2018 +0530
----------------------------------------------------------------------
solr/CHANGES.txt | 6 +++++-
.../org/apache/solr/util/SystemIdResolver.java | 14 ++++----------
.../apache/solr/util/TestSystemIdResolver.java | 19 +++++++++++++++++--
3 files changed, 26 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/CHANGES.txt
----------------------------------------------------------------------
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 87c999d..bb908d4 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -36,7 +36,8 @@ Bug Fixes
* SOLR-12256: Fixed some eventual-consistency issues with collection aliases by using ZooKeeper.sync(). (David Smiley)
-* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down state (Cao Manh Dat)
+* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down
+ state (Cao Manh Dat)
* SOLR-12146: LIR should skip deleted replicas (Cao Manh Dat)
@@ -50,6 +51,9 @@ Bug Fixes
* SOLR-12202: Fix errors in solr-exporter.cmd. (Minoru Osuka via koji)
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+ (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
================== 7.3.0 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java b/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
index 6fda14f..c208520 100644
--- a/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
+++ b/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
@@ -16,9 +16,6 @@
*/
package org.apache.solr.util;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
import org.apache.lucene.analysis.util.ResourceLoader;
import org.xml.sax.InputSource;
@@ -26,7 +23,6 @@ import org.xml.sax.EntityResolver;
import org.xml.sax.ext.EntityResolver2;
import java.io.File;
import java.io.IOException;
-import java.lang.invoke.MethodHandles;
import java.net.URI;
import java.net.URISyntaxException;
import javax.xml.transform.Source;
@@ -55,7 +51,6 @@ import javax.xml.stream.XMLStreamException;
* </pre>
*/
public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
- private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
@Override
public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
- if (systemId == null)
+ if (systemId == null) {
return null;
+ }
try {
final URI uri = resolveRelativeURI(baseURI, systemId);
@@ -147,12 +143,10 @@ public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
throw new IOException(re.getMessage(), re);
}
} else {
- // resolve all other URIs using the standard resolver
- return null;
+ throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
}
} catch (URISyntaxException use) {
- log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
- return null;
+ throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
}
}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
index 7980a59..4c2677d 100644
--- a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
+++ b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
@@ -17,6 +17,7 @@
package org.apache.solr.util;
import java.io.File;
+import java.io.IOException;
import java.nio.file.Path;
import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public class TestSystemIdResolver extends LuceneTestCase {
assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
- // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
- assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+ // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+ IOException ioe = expectThrows(IOException.class, () -> {
+ resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+ });
+ assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+
+ ioe = expectThrows(IOException.class, () -> {
+ resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+ });
+ assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+
+ // check that we can't escape with absolute file paths:
+ ioe = expectThrows(IOException.class, () -> {
+ resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+ });
+ assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
}
}
[2/2] lucene-solr:branch_7_3: SOLR-12316: Fix test to work on linux
and test also windows in a better way
Posted by is...@apache.org.
SOLR-12316: Fix test to work on linux and test also windows in a better way
Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/ae0705ed
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/ae0705ed
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/ae0705ed
Branch: refs/heads/branch_7_3
Commit: ae0705edb59eaa567fe13ed3a222fdadc7153680
Parents: 6c4e45e
Author: Uwe Schindler <us...@apache.org>
Authored: Sun May 6 15:53:07 2018 +0200
Committer: Ishan Chattopadhyaya <is...@apache.org>
Committed: Sun May 6 23:13:48 2018 +0530
----------------------------------------------------------------------
.../apache/solr/util/TestSystemIdResolver.java | 30 +++++++++++++-------
1 file changed, 19 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/ae0705ed/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
index 4c2677d..f87eeb4 100644
--- a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
+++ b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
@@ -19,6 +19,7 @@ package org.apache.solr.util;
import java.io.File;
import java.io.IOException;
import java.nio.file.Path;
+import java.util.Arrays;
import org.apache.commons.io.IOUtils;
import org.apache.lucene.analysis.util.ResourceLoader;
@@ -29,11 +30,6 @@ import org.xml.sax.InputSource;
public class TestSystemIdResolver extends LuceneTestCase {
- public void setUp() throws Exception {
- super.setUp();
- System.setProperty("solr.allow.unsafe.resourceloading", "true");
- }
-
public void tearDown() throws Exception {
System.clearProperty("solr.allow.unsafe.resourceloading");
super.tearDown();
@@ -74,8 +70,6 @@ public class TestSystemIdResolver extends LuceneTestCase {
"solrres:/org/apache/solr/util/RTimer.class", "TestSystemIdResolver.class");
assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/collection1/conf/schema.xml"),
SystemIdResolver.createSystemIdFromResourceName(testHome+"/collection1/conf/solrconfig.xml"), "schema.xml");
- assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
- SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
// if somebody uses an absolute uri (e.g., file://) we should fail resolving:
IOException ioe = expectThrows(IOException.class, () -> {
@@ -89,10 +83,24 @@ public class TestSystemIdResolver extends LuceneTestCase {
assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
// check that we can't escape with absolute file paths:
- ioe = expectThrows(IOException.class, () -> {
- resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
- });
- assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
+ for (String path : Arrays.asList("/etc/passwd", "/windows/notepad.exe")) {
+ ioe = expectThrows(IOException.class, () -> {
+ resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", path);
+ });
+ assertTrue(ioe.getMessage().startsWith("Can't find resource")
+ || ioe.getMessage().contains("is outside resource loader dir"));
+ }
+ }
+
+ public void testUnsafeResolving() throws Exception {
+ System.setProperty("solr.allow.unsafe.resourceloading", "true");
+
+ final Path testHome = SolrTestCaseJ4.getFile("solr/collection1").getParentFile().toPath();
+ final ResourceLoader loader = new SolrResourceLoader(testHome.resolve("collection1"), this.getClass().getClassLoader());
+ final SystemIdResolver resolver = new SystemIdResolver(loader);
+
+ assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
+ SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
}
}