You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ho...@apache.org on 2020/09/29 16:29:13 UTC
[lucene-solr] branch branch_8x updated: SOLR-14898: Stop returning
duplicate HTTP response headers when requests are forward to another node
This is an automated email from the ASF dual-hosted git repository.
hossman pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 9b49512 SOLR-14898: Stop returning duplicate HTTP response headers when requests are forward to another node
9b49512 is described below
commit 9b49512a11a27d5b0e6449b62c3910fbf119a73f
Author: Chris Hostetter <ho...@apache.org>
AuthorDate: Tue Sep 29 09:19:03 2020 -0700
SOLR-14898: Stop returning duplicate HTTP response headers when requests are forward to another node
(cherry picked from commit 8c7502dfeb5bcc6c0d37f65220cd49f15efa0797)
---
solr/CHANGES.txt | 2 +
.../java/org/apache/solr/servlet/HttpSolrCall.java | 6 +-
.../apache/solr/servlet/SecurityHeadersTest.java | 93 ++++++++++++++++++++++
3 files changed, 100 insertions(+), 1 deletion(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 90530a7..409bea7 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -130,6 +130,8 @@ Bug Fixes
* SOLR-14897: Fix unlimited number of forwarding the request from one node to another node. (hossman, Munendra S N)
+* SOLR-14898: Stop returning duplicate HTTP response headers when requests are forward to another node. (hossman)
+
Other Changes
---------------------
diff --git a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
index fc6d6b6..468348d 100644
--- a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
+++ b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
@@ -727,7 +727,11 @@ public class HttpSolrCall {
// encoding issues with Tomcat
if (header != null && !header.getName().equalsIgnoreCase(TRANSFER_ENCODING_HEADER)
&& !header.getName().equalsIgnoreCase(CONNECTION_HEADER)) {
- resp.addHeader(header.getName(), header.getValue());
+
+ // NOTE: explicitly using 'setHeader' instead of 'addHeader' so that
+ // the remote nodes values for any response headers will overide any that
+ // may have already been set locally (ex: by the local jetty's RewriteHandler config)
+ resp.setHeader(header.getName(), header.getValue());
}
}
diff --git a/solr/core/src/test/org/apache/solr/servlet/SecurityHeadersTest.java b/solr/core/src/test/org/apache/solr/servlet/SecurityHeadersTest.java
new file mode 100644
index 0000000..115f8f6
--- /dev/null
+++ b/solr/core/src/test/org/apache/solr/servlet/SecurityHeadersTest.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.servlet;
+
+import java.net.URI;
+import java.util.Arrays;
+import java.util.Map;
+
+import org.apache.solr.client.solrj.embedded.JettySolrRunner;
+import org.apache.solr.client.solrj.SolrClient;
+import org.apache.solr.client.solrj.impl.HttpSolrClient;
+import org.apache.solr.client.solrj.request.CollectionAdminRequest;
+import org.apache.solr.cloud.SolrCloudTestCase;
+import org.apache.solr.common.params.SolrParams;
+
+import org.apache.http.HttpResponse;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * Confirm that the expected security headers are returned when making requests to solr,
+ * regardless of wether the request is interanlly forwared to another node.
+ */
+@org.apache.lucene.util.LuceneTestCase.AwaitsFix(bugUrl="https://issues.apache.org/jira/browse/SOLR-14903")
+public class SecurityHeadersTest extends SolrCloudTestCase {
+
+ private static final String COLLECTION = "xxx" ;
+
+ private static final int NODE_COUNT = 2;
+
+ /* A quick and dirty mapping of the headers/values we expect to find */
+ private static final SolrParams EXPECTED_HEADERS
+ = params("Content-Security-Policy", "default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';",
+ "X-Content-Type-Options", "nosniff",
+ "X-Frame-Options", "SAMEORIGIN",
+ "X-XSS-Protection", "1; mode=block");
+
+ @BeforeClass
+ public static void setupCluster() throws Exception {
+
+ configureCluster(NODE_COUNT).configure();
+
+ // create a 1 shard x 1 node collection
+ CollectionAdminRequest.createCollection(COLLECTION, null, 1, 1)
+ .process(cluster.getSolrClient());
+
+ }
+
+ @Test
+ public void testHeaders() throws Exception {
+ // it shouldn't matter what node our lone replica/core wound up on, headers should be the same...
+ for (JettySolrRunner jetty : cluster.getJettySolrRunners()) {
+ try (SolrClient solrClient = jetty.newClient()) {
+ final HttpClient client = ((HttpSolrClient) solrClient).getHttpClient();
+
+ // path shouldn't matter -- even if bogus / 404
+ for (String path : Arrays.asList("/select", "/bogus")) {
+ final HttpResponse resp = client.execute
+ (new HttpGet(URI.create(jetty.getBaseUrl().toString() + "/" + COLLECTION + path)));
+
+ for (Map.Entry<String,String[]> entry : EXPECTED_HEADERS) {
+ // these exact arrays (of 1 element each) should be *ALL* of the header instances...
+ // no more, no less.
+ assertEquals(entry.getValue(),
+ resp.getHeaders(entry.getKey()));
+
+ }
+ }
+ }
+ }
+
+ }
+
+
+}
+