You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by yo...@apache.org on 2015/08/28 16:47:59 UTC

svn commit: r1698341 - in /lucene/dev/trunk/solr: CHANGES.txt core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java

Author: yonik
Date: Fri Aug 28 14:47:58 2015
New Revision: 1698341

URL: http://svn.apache.org/r1698341
Log:
SOLR-7966: set X-Frame-Options to DENY for admin ui

Modified:
    lucene/dev/trunk/solr/CHANGES.txt
    lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java
    lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java

Modified: lucene/dev/trunk/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/CHANGES.txt?rev=1698341&r1=1698340&r2=1698341&view=diff
==============================================================================
--- lucene/dev/trunk/solr/CHANGES.txt (original)
+++ lucene/dev/trunk/solr/CHANGES.txt Fri Aug 28 14:47:58 2015
@@ -220,6 +220,9 @@ Other Changes
 * SOLR-7979: Fix two typos (in a CoreAdminHandler log message and a TestCloudPivotFacet comment).
   (Mike Drob via Christine Poerschke)
 
+* SOLR-7966: Solr Admin UI Solr now sets the HTTP header X-Frame-Options to DENY
+  to avoid clickjacking. (yonik)
+
 ==================  5.3.0 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release

Modified: lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java?rev=1698341&r1=1698340&r2=1698341&view=diff
==============================================================================
--- lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java (original)
+++ lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java Fri Aug 28 14:47:58 2015
@@ -42,9 +42,11 @@ public final class LoadAdminUiServlet ex
   public void doGet(HttpServletRequest request,
                     HttpServletResponse response)
       throws IOException {
+
+    response.addHeader("X-Frame-Options", "DENY"); // security: SOLR-7966 - avoid clickjacking for admin interface
+
     // This attribute is set by the SolrDispatchFilter
     CoreContainer cores = (CoreContainer) request.getAttribute("org.apache.solr.CoreContainer");
-
     InputStream in = getServletContext().getResourceAsStream("/admin.html");
     if(in != null && cores != null) {
       try {

Modified: lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java?rev=1698341&r1=1698340&r2=1698341&view=diff
==============================================================================
--- lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java (original)
+++ lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java Fri Aug 28 14:47:58 2015
@@ -19,13 +19,19 @@ package org.apache.solr.client.solrj.emb
 
 import java.io.File;
 import java.net.URL;
+import java.util.Locale;
 import java.util.Random;
 
+import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
 import org.apache.commons.io.IOUtils;
-import org.apache.lucene.util.LuceneTestCase;
-import org.apache.lucene.util.TestUtil;
+import org.apache.http.Header;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpRequestBase;
 import org.apache.solr.SolrJettyTestBase;
 import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.client.solrj.impl.HttpClientUtil;
 import org.apache.solr.util.ExternalPaths;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -37,8 +43,6 @@ import org.junit.Rule;
 import org.junit.rules.RuleChain;
 import org.junit.rules.TestRule;
 
-import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
-
 /**
  *
  * @since solr 1.3
@@ -53,9 +57,9 @@ public class JettyWebappTest extends Sol
     RuleChain.outerRule(new SystemPropertiesRestoreRule());
 
   Server server;
-  
+
   @Override
-  public void setUp() throws Exception 
+  public void setUp() throws Exception
   {
     super.setUp();
     System.setProperty("solr.solr.home", SolrJettyTestBase.legacyExampleCollection1SolrHome());
@@ -84,7 +88,7 @@ public class JettyWebappTest extends Sol
   }
 
   @Override
-  public void tearDown() throws Exception 
+  public void tearDown() throws Exception
   {
     try {
       server.stop();
@@ -102,5 +106,14 @@ public class JettyWebappTest extends Sol
     String adminPath = "http://127.0.0.1:"+port+context+"/";
     byte[] bytes = IOUtils.toByteArray( new URL(adminPath).openStream() );
     assertNotNull( bytes ); // real error will be an exception
+
+
+    HttpClient client = HttpClientUtil.createClient(null);
+    HttpRequestBase m = new HttpGet(adminPath);
+    HttpResponse response = client.execute(m);
+    assertEquals(200, response.getStatusLine().getStatusCode());
+    Header header = response.getFirstHeader("X-Frame-Options");
+    assertEquals("DENY", header.getValue().toUpperCase(Locale.ROOT));
+    m.releaseConnection();
   }
 }