You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2021/03/17 08:57:07 UTC
[GitHub] [solr] asalamon74 opened a new pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
asalamon74 opened a new pull request #22:
URL: https://github.com/apache/solr/pull/22
<!--
_(If you are a project committer then you may remove some/all of the following template.)_
Before creating a pull request, please file an issue in the ASF Jira system for Solr:
* https://issues.apache.org/jira/projects/SOLR
You will need to create an account in Jira in order to create an issue.
The title of the PR should reference the Jira issue number in the form:
* SOLR-####: <short description of problem or changes>
SOLR must be fully capitalized. A short description helps people scanning pull requests for items they can work on.
Properly referencing the issue in the title ensures that Jira is correctly updated with code review comments and commits. -->
Original lucene-solr pull request: https://github.com/apache/lucene-solr/pull/2406
# Description
In the SolrPaths.assertPathAllowed the normalize() method is only called for pathToAssert and not for the allowPaths elements
# Solution
Calling it for allowPaths elements
# Tests
Please describe the tests you've developed or run to confirm this patch implements the feature or solves the problem.
# Checklist
Please review the following and check all that apply:
- [x] I have reviewed the guidelines for [How to Contribute](https://wiki.apache.org/solr/HowToContribute) and my code conforms to the standards described there to the best of my ability.
- [x] I have created a Jira issue and added the issue ID to my pull request title.
- [x] I have given Solr maintainers [access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork) to contribute to my PR branch. (optional but recommended)
- [x] I have developed this patch against the `main` branch.
- [x] I have run `./gradlew check`.
- [x] I have added tests for my changes.
- [ ] I have added documentation for the [Reference Guide](https://github.com/apache/solr/tree/main/solr/solr-ref-guide)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #22:
URL: https://github.com/apache/solr/pull/22#discussion_r601229309
##########
File path: solr/core/src/test/org/apache/solr/core/TestCoreContainer.java
##########
@@ -549,6 +549,40 @@ public void assertAllowPathWindows() {
assertPathBlocked("\\\\unc-server\\share\\path");
}
+ @Test
+ public void assertAllowPathNormalization() throws Exception {
+ Assume.assumeFalse(OS.isFamilyWindows());
+ System.setProperty("solr.allowPaths", "/var/solr/../solr");
+ CoreContainer cc = init(ALLOW_PATHS_SOLR_XML);
+ cc.assertPathAllowed(Paths.get("/var/solr/foo"));
+ try {
Review comment:
You could get rid of the try-finally here, since assertThrows will not break the flow but continue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [solr] asalamon74 commented on a change in pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
asalamon74 commented on a change in pull request #22:
URL: https://github.com/apache/solr/pull/22#discussion_r601240251
##########
File path: solr/core/src/test/org/apache/solr/core/TestCoreContainer.java
##########
@@ -549,6 +549,40 @@ public void assertAllowPathWindows() {
assertPathBlocked("\\\\unc-server\\share\\path");
}
+ @Test
+ public void assertAllowPathNormalization() throws Exception {
+ Assume.assumeFalse(OS.isFamilyWindows());
+ System.setProperty("solr.allowPaths", "/var/solr/../solr");
+ CoreContainer cc = init(ALLOW_PATHS_SOLR_XML);
+ cc.assertPathAllowed(Paths.get("/var/solr/foo"));
+ try {
Review comment:
Oh, that's great. Thanks for the tip, fixed it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [solr] janhoy commented on pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
janhoy commented on pull request #22:
URL: https://github.com/apache/solr/pull/22#issuecomment-808325717
So, what's your verdict @madrob ? :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] asalamon74 commented on a change in pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
asalamon74 commented on a change in pull request #22:
URL: https://github.com/apache/solr/pull/22#discussion_r601226932
##########
File path: solr/core/src/test/org/apache/solr/core/TestCoreContainer.java
##########
@@ -549,6 +549,40 @@ public void assertAllowPathWindows() {
assertPathBlocked("\\\\unc-server\\share\\path");
}
+ @Test
+ public void assertAllowPathNormalization() throws Exception {
+ Assume.assumeFalse(OS.isFamilyWindows());
+ System.setProperty("solr.allowPaths", "/var/solr/../solr");
+ CoreContainer cc = init(ALLOW_PATHS_SOLR_XML);
+ cc.assertPathAllowed(Paths.get("/var/solr/foo"));
+ try {
Review comment:
Changed to assertThrows.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [solr] madrob commented on pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
madrob commented on pull request #22:
URL: https://github.com/apache/solr/pull/22#issuecomment-808476648
I can't come up with a way that this allows inappropriate actions. I suspect that we need to fix something else as this is probably a symptom of a different issue, not a cause, but it's probably safe to merge.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy commented on pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
janhoy commented on pull request #22:
URL: https://github.com/apache/solr/pull/22#issuecomment-808728985
Please add an entry to CHANGES.txt under the 9.0 heading. We don’t yet know if there will be an 8.9 release.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] janhoy merged pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
janhoy merged pull request #22:
URL: https://github.com/apache/solr/pull/22
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] asalamon74 commented on a change in pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
asalamon74 commented on a change in pull request #22:
URL: https://github.com/apache/solr/pull/22#discussion_r601227081
##########
File path: solr/core/src/test/org/apache/solr/core/TestCoreContainer.java
##########
@@ -549,6 +549,40 @@ public void assertAllowPathWindows() {
assertPathBlocked("\\\\unc-server\\share\\path");
}
+ @Test
+ public void assertAllowPathNormalization() throws Exception {
+ Assume.assumeFalse(OS.isFamilyWindows());
+ System.setProperty("solr.allowPaths", "/var/solr/../solr");
+ CoreContainer cc = init(ALLOW_PATHS_SOLR_XML);
+ cc.assertPathAllowed(Paths.get("/var/solr/foo"));
+ try {
+ cc.assertPathAllowed(Paths.get("/tmp"));
+ fail("Path /tmp should not be allowed");
+ } catch(SolrException e) {
+ /* Ignore */
+ } finally {
+ cc.shutdown();
+ System.clearProperty("solr.allowPaths");
+ }
+ }
+
+ @Test
+ public void assertAllowPathNormalizationWin() throws Exception {
+ Assume.assumeTrue(OS.isFamilyWindows());
+ System.setProperty("solr.allowPaths", "C:\\solr\\..\\solr");
+ CoreContainer cc = init(ALLOW_PATHS_SOLR_XML);
+ cc.assertPathAllowed(Paths.get("C:\\solr\\foo"));
+ try {
+ cc.assertPathAllowed(Paths.get("C:\\tmp"));
Review comment:
Changed to assertThrows
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [solr] asalamon74 commented on pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
asalamon74 commented on pull request #22:
URL: https://github.com/apache/solr/pull/22#issuecomment-816456130
Uploaded a new version to resolve CHANGES.txt conflict.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr] asalamon74 commented on pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
asalamon74 commented on pull request #22:
URL: https://github.com/apache/solr/pull/22#issuecomment-806482649
@janhoy I run into this problem in a unit test. I explained it in more details here: https://issues.apache.org/jira/browse/SOLR-15169?focusedCommentId=17289829&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17289829
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [solr] janhoy commented on a change in pull request #22: SOLR-15169 SolrPaths.assertPathAllowed normalization problem
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #22:
URL: https://github.com/apache/solr/pull/22#discussion_r600449361
##########
File path: solr/core/src/test/org/apache/solr/core/TestCoreContainer.java
##########
@@ -549,6 +549,40 @@ public void assertAllowPathWindows() {
assertPathBlocked("\\\\unc-server\\share\\path");
}
+ @Test
+ public void assertAllowPathNormalization() throws Exception {
+ Assume.assumeFalse(OS.isFamilyWindows());
+ System.setProperty("solr.allowPaths", "/var/solr/../solr");
+ CoreContainer cc = init(ALLOW_PATHS_SOLR_XML);
+ cc.assertPathAllowed(Paths.get("/var/solr/foo"));
+ try {
+ cc.assertPathAllowed(Paths.get("/tmp"));
+ fail("Path /tmp should not be allowed");
+ } catch(SolrException e) {
+ /* Ignore */
+ } finally {
+ cc.shutdown();
+ System.clearProperty("solr.allowPaths");
+ }
+ }
+
+ @Test
+ public void assertAllowPathNormalizationWin() throws Exception {
+ Assume.assumeTrue(OS.isFamilyWindows());
+ System.setProperty("solr.allowPaths", "C:\\solr\\..\\solr");
+ CoreContainer cc = init(ALLOW_PATHS_SOLR_XML);
+ cc.assertPathAllowed(Paths.get("C:\\solr\\foo"));
+ try {
+ cc.assertPathAllowed(Paths.get("C:\\tmp"));
Review comment:
Use assertThrows instead
##########
File path: solr/core/src/test/org/apache/solr/core/TestCoreContainer.java
##########
@@ -549,6 +549,40 @@ public void assertAllowPathWindows() {
assertPathBlocked("\\\\unc-server\\share\\path");
}
+ @Test
+ public void assertAllowPathNormalization() throws Exception {
+ Assume.assumeFalse(OS.isFamilyWindows());
+ System.setProperty("solr.allowPaths", "/var/solr/../solr");
+ CoreContainer cc = init(ALLOW_PATHS_SOLR_XML);
+ cc.assertPathAllowed(Paths.get("/var/solr/foo"));
+ try {
Review comment:
Change to assertThrows() ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org