You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Steve Rowe (JIRA)" <ji...@apache.org> on 2015/08/28 20:13:45 UTC
[jira] [Reopened] (SOLR-7966) Solr Admin pages should set
X-Frame-Options to DENY
[ https://issues.apache.org/jira/browse/SOLR-7966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steve Rowe reopened SOLR-7966:
------------------------------
My Jenkins found a {{JettyWebappTest}} failure [http://jenkins.sarowe.net/job/Lucene-Solr-tests-5.x-Java8/1574/] that reproduces for me on OS X:
{noformat}
[junit4] 2> NOTE: reproduce with: ant test -Dtestcase=JettyWebappTest -Dtests.method=testAdminUI -Dtests.seed=5567901EF3993FC2 -Dtests.slow=true -Dtests.linedocsfile=/home/jenkins/lucene-data/enwiki.random.lines.txt -Dtests.locale=ga -Dtests.timezone=Asia/Dubai -Dtests.asserts=true -Dtests.file.encoding=US-ASCII
[junit4] ERROR 6.73s | JettyWebappTest.testAdminUI <<<
[junit4] > Throwable #1: java.lang.IllegalStateException: Scheme 'http' not registered.
[junit4] > at __randomizedtesting.SeedInfo.seed([5567901EF3993FC2:6DB5734D94F2A47D]:0)
[junit4] > at org.apache.http.conn.scheme.SchemeRegistry.getScheme(SchemeRegistry.java:74)
[junit4] > at org.apache.http.impl.conn.ProxySelectorRoutePlanner.determineRoute(ProxySelectorRoutePlanner.java:140)
[junit4] > at org.apache.http.impl.client.DefaultRequestDirector.determineRoute(DefaultRequestDirector.java:762)
[junit4] > at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
[junit4] > at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
[junit4] > at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
[junit4] > at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
[junit4] > at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
[junit4] > at org.apache.solr.client.solrj.embedded.JettyWebappTest.testAdminUI(JettyWebappTest.java:113)
[junit4] > at java.lang.Thread.run(Thread.java:745)
[junit4] 2> 6769 INFO (SUITE-JettyWebappTest-seed#[5567901EF3993FC2]-worker) [ ] o.a.s.SolrTestCaseJ4 ###deleteCore
[junit4] 2> NOTE: leaving temporary files on disk at: /Users/sarowe/svn/lucene/dev/branches/branch_5x/solr/build/solr-solrj/test/J0/temp/solr.client.solrj.embedded.JettyWebappTest_5567901EF3993FC2-001
[junit4] 2> NOTE: test params are: codec=HighCompressionCompressingStoredFields(storedFieldsFormat=CompressingStoredFieldsFormat(compressionMode=HIGH_COMPRESSION, chunkSize=1, maxDocsPerChunk=10, blockSize=10), termVectorsFormat=CompressingTermVectorsFormat(compressionMode=HIGH_COMPRESSION, chunkSize=1, blockSize=10)), sim=RandomSimilarityProvider(queryNorm=false,coord=yes): {}, locale=ga, timezone=Asia/Dubai
[junit4] 2> NOTE: Mac OS X 10.10.5 x86_64/Oracle Corporation 1.8.0_20 (64-bit)/cpus=8,threads=1,free=229789480,total=277872640
[junit4] 2> NOTE: All tests run in this JVM: [JettyWebappTest]
[junit4] Completed [1/1] in 8.44s, 1 test, 1 error <<< FAILURES!
{noformat}
> Solr Admin pages should set X-Frame-Options to DENY
> ---------------------------------------------------
>
> Key: SOLR-7966
> URL: https://issues.apache.org/jira/browse/SOLR-7966
> Project: Solr
> Issue Type: Bug
> Reporter: Yonik Seeley
> Priority: Trivial
> Fix For: Trunk, 5.4
>
> Attachments: SOLR-7966.patch, SOLR-7966.patch
>
>
> Security scan software reported that Solr's admin interface is vulnerable to clickjacking, which is fixable with the X-Frame-Options HTTP header.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org