You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by yo...@apache.org on 2018/05/30 14:15:56 UTC

lucene-solr:master: SOLR-12417: enforce valid function name for v.json

Repository: lucene-solr
Updated Branches:
  refs/heads/master d27a2e899 -> 107fd24ec


SOLR-12417: enforce valid function name for v.json


Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/107fd24e
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/107fd24e
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/107fd24e

Branch: refs/heads/master
Commit: 107fd24ec7849d245c701882d3009463787165a3
Parents: d27a2e8
Author: yonik <yo...@apache.org>
Authored: Wed May 30 10:15:09 2018 -0400
Committer: yonik <yo...@apache.org>
Committed: Wed May 30 10:15:09 2018 -0400

----------------------------------------------------------------------
 solr/CHANGES.txt                                               | 2 ++
 .../java/org/apache/solr/response/VelocityResponseWriter.java  | 6 ++++++
 .../org/apache/solr/velocity/VelocityResponseWriterTest.java   | 6 ++++++
 3 files changed, 14 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/107fd24e/solr/CHANGES.txt
----------------------------------------------------------------------
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index dbf99de..72af1cc 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -276,6 +276,8 @@ Bug Fixes
 * SOLR-12314: Use http timeout's defined in solr.xml for creating ConcurrentUpdateSolrClient during
   indexing requests between leader and replica ( Mark Miller, Varun Thacker)
 
+* SOLR-12417: velocity response writer should enforce valid function name for v.json parameter (yonik)
+
 Optimizations
 ----------------------
 

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/107fd24e/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java
----------------------------------------------------------------------
diff --git a/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java b/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java
index 133bc63..ad1ee39 100644
--- a/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java
+++ b/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java
@@ -35,6 +35,7 @@ import org.apache.commons.lang.StringUtils;
 import org.apache.solr.client.solrj.SolrResponse;
 import org.apache.solr.client.solrj.response.QueryResponse;
 import org.apache.solr.client.solrj.response.SolrResponseBase;
+import org.apache.solr.common.SolrException;
 import org.apache.solr.common.params.CommonParams;
 import org.apache.solr.common.util.NamedList;
 import org.apache.solr.core.SolrCore;
@@ -184,6 +185,11 @@ public class VelocityResponseWriter implements QueryResponseWriter, SolrCoreAwar
       }
 
       if (jsonWrapper != null) {
+        for (int i=0; i<jsonWrapper.length(); i++) {
+          if (!Character.isJavaIdentifierPart(jsonWrapper.charAt(i))) {
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "Invalid function name for " + JSON + ": '" + jsonWrapper + "'");
+          }
+        }
         writer.write(jsonWrapper + "(");
         writer.write(getJSONWrap(stringWriter.toString()));
         writer.write(')');

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/107fd24e/solr/contrib/velocity/src/test/org/apache/solr/velocity/VelocityResponseWriterTest.java
----------------------------------------------------------------------
diff --git a/solr/contrib/velocity/src/test/org/apache/solr/velocity/VelocityResponseWriterTest.java b/solr/contrib/velocity/src/test/org/apache/solr/velocity/VelocityResponseWriterTest.java
index 336ee4b..9b70e1b 100644
--- a/solr/contrib/velocity/src/test/org/apache/solr/velocity/VelocityResponseWriterTest.java
+++ b/solr/contrib/velocity/src/test/org/apache/solr/velocity/VelocityResponseWriterTest.java
@@ -17,6 +17,7 @@
 package org.apache.solr.velocity;
 
 import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.common.SolrException;
 import org.apache.solr.common.util.NamedList;
 import org.apache.solr.response.QueryResponseWriter;
 import org.apache.solr.response.SolrParamResourceLoader;
@@ -187,6 +188,11 @@ public class VelocityResponseWriterTest extends SolrTestCaseJ4 {
         VelocityResponseWriter.TEMPLATE, "numFound",
         VelocityResponseWriter.JSON,"foo",
         VelocityResponseWriter.LAYOUT,"layout")));
+
+    assertQEx("Bad function name should throw exception", req("q", "*:*", "wt", "velocity",
+        VelocityResponseWriter.TEMPLATE, "numFound",
+        VelocityResponseWriter.JSON,"<foo>"), SolrException.ErrorCode.BAD_REQUEST
+    );
   }
 
   @Test