You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by yo...@apache.org on 2015/08/28 16:47:59 UTC
svn commit: r1698341 - in /lucene/dev/trunk/solr: CHANGES.txt
core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java
solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java
Author: yonik
Date: Fri Aug 28 14:47:58 2015
New Revision: 1698341
URL: http://svn.apache.org/r1698341
Log:
SOLR-7966: set X-Frame-Options to DENY for admin ui
Modified:
lucene/dev/trunk/solr/CHANGES.txt
lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java
lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java
Modified: lucene/dev/trunk/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/CHANGES.txt?rev=1698341&r1=1698340&r2=1698341&view=diff
==============================================================================
--- lucene/dev/trunk/solr/CHANGES.txt (original)
+++ lucene/dev/trunk/solr/CHANGES.txt Fri Aug 28 14:47:58 2015
@@ -220,6 +220,9 @@ Other Changes
* SOLR-7979: Fix two typos (in a CoreAdminHandler log message and a TestCloudPivotFacet comment).
(Mike Drob via Christine Poerschke)
+* SOLR-7966: Solr Admin UI Solr now sets the HTTP header X-Frame-Options to DENY
+ to avoid clickjacking. (yonik)
+
================== 5.3.0 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release
Modified: lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java?rev=1698341&r1=1698340&r2=1698341&view=diff
==============================================================================
--- lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java (original)
+++ lucene/dev/trunk/solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java Fri Aug 28 14:47:58 2015
@@ -42,9 +42,11 @@ public final class LoadAdminUiServlet ex
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws IOException {
+
+ response.addHeader("X-Frame-Options", "DENY"); // security: SOLR-7966 - avoid clickjacking for admin interface
+
// This attribute is set by the SolrDispatchFilter
CoreContainer cores = (CoreContainer) request.getAttribute("org.apache.solr.CoreContainer");
-
InputStream in = getServletContext().getResourceAsStream("/admin.html");
if(in != null && cores != null) {
try {
Modified: lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java?rev=1698341&r1=1698340&r2=1698341&view=diff
==============================================================================
--- lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java (original)
+++ lucene/dev/trunk/solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java Fri Aug 28 14:47:58 2015
@@ -19,13 +19,19 @@ package org.apache.solr.client.solrj.emb
import java.io.File;
import java.net.URL;
+import java.util.Locale;
import java.util.Random;
+import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
import org.apache.commons.io.IOUtils;
-import org.apache.lucene.util.LuceneTestCase;
-import org.apache.lucene.util.TestUtil;
+import org.apache.http.Header;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpRequestBase;
import org.apache.solr.SolrJettyTestBase;
import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.util.ExternalPaths;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -37,8 +43,6 @@ import org.junit.Rule;
import org.junit.rules.RuleChain;
import org.junit.rules.TestRule;
-import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
-
/**
*
* @since solr 1.3
@@ -53,9 +57,9 @@ public class JettyWebappTest extends Sol
RuleChain.outerRule(new SystemPropertiesRestoreRule());
Server server;
-
+
@Override
- public void setUp() throws Exception
+ public void setUp() throws Exception
{
super.setUp();
System.setProperty("solr.solr.home", SolrJettyTestBase.legacyExampleCollection1SolrHome());
@@ -84,7 +88,7 @@ public class JettyWebappTest extends Sol
}
@Override
- public void tearDown() throws Exception
+ public void tearDown() throws Exception
{
try {
server.stop();
@@ -102,5 +106,14 @@ public class JettyWebappTest extends Sol
String adminPath = "http://127.0.0.1:"+port+context+"/";
byte[] bytes = IOUtils.toByteArray( new URL(adminPath).openStream() );
assertNotNull( bytes ); // real error will be an exception
+
+
+ HttpClient client = HttpClientUtil.createClient(null);
+ HttpRequestBase m = new HttpGet(adminPath);
+ HttpResponse response = client.execute(m);
+ assertEquals(200, response.getStatusLine().getStatusCode());
+ Header header = response.getFirstHeader("X-Frame-Options");
+ assertEquals("DENY", header.getValue().toUpperCase(Locale.ROOT));
+ m.releaseConnection();
}
}