You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Jason Gerlowski (JIRA)" <ji...@apache.org> on 2018/04/26 16:34:00 UTC

[jira] [Created] (SOLR-12279) Validate Boolean "bin/solr auth" Inputs

Jason Gerlowski created SOLR-12279:
--------------------------------------

             Summary: Validate Boolean "bin/solr auth" Inputs
                 Key: SOLR-12279
                 URL: https://issues.apache.org/jira/browse/SOLR-12279
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
          Components: scripts and tools
    Affects Versions: master (8.0)
            Reporter: Jason Gerlowski
            Assignee: Jason Gerlowski
         Attachments: repro.sh

The "auth" command in the {{bin/solr}} scripts has a handful of different parameters which take in boolean arguments.  However, {{bin/solr}} blithely accepts invalid values without warning administrators in any way of the mistake.

In most cases, the results are innocuous.  But in some cases, silently handling invalid input causes real issues.  Consider:

{code}
$ bin/solr auth enable -type basicAuth -credentials anyUser:anyPass -blockUnknown ture
Successfully enabled basic auth with username [anyUser] and password [anyPass].
$ bin/solr auth enable -type basicAuth -credentials anyUser:anyPass -blockUnknown ture
Security is already enabled. You can disable it with 'bin/solr auth disable'. Existing security.json:
{
  "authentication":{
   "blockUnknown": false,
   "class":"solr.BasicAuthPlugin",
   "credentials":{"mount":"3FLVxpOGLt4dlqlyqxgsiFDbGX+i+dc81L6qEhuBdcI= lrH1W1pFGyGoAdTJ/Isuclh042fvz66ggG7YZ4e7YwA="}
  },
  ...
}
{code}

If an administrator accidentally mistypes or fatfingers "true" when enabling authentication, their Solr instance will remain unprotected without any warning! 

The {{bin/solr auth}} tool should refuse to process invalid boolean arguments, or at the least spit out a warning in such cases.




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org