You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/09/15 08:39:12 UTC
[ofbiz-plugins] branch release17.12 updated: Fixed: The Solr
version included in OFBiz has an SSRF vulnerability (CVE-2021-27905)
(OFBIZ-12316)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 89ad3d8 Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316)
89ad3d8 is described below
commit 89ad3d8207176977e7ead40d41f6dfdd049c2c40
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Wed Sep 15 10:20:45 2021 +0200
Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316)
This post-auth security issue was reported to the security team by weinull orz
<we...@outlook.com> As he suggested the solution is to update Solr to its last
version (8.9.0)
This solution contains a (justified) rant!
Thanks: weinull orz
Conflicts handled by hand (hence the numerous unnecessary automatic changes due to my editor (Scite) config
# lucene/build.gradle
# solr/home/solrdefault/conf/solrconfig.xml
---
lucene/build.gradle | 8 +-
.../apache/ofbiz/content/search/SearchWorker.java | 2 +-
solr/build.gradle | 2 +-
solr/home/solrdefault/conf/solrconfig.xml | 384 ++++++++++++---------
.../ofbiz/solr/webapp/OFBizSolrContextFilter.java | 45 ++-
5 files changed, 262 insertions(+), 179 deletions(-)
diff --git a/lucene/build.gradle b/lucene/build.gradle
index e20f734..c711417 100644
--- a/lucene/build.gradle
+++ b/lucene/build.gradle
@@ -17,7 +17,9 @@
* under the License.
*/
dependencies {
- pluginLibsCompile 'org.apache.lucene:lucene-core:8.5.2'
- pluginLibsCompile 'org.apache.lucene:lucene-queryparser:8.5.2'
- pluginLibsCompile 'org.apache.lucene:lucene-analyzers-common:8.5.2'
+ // Remember to change the version number in SearchWorker class when upgrading.
+ // Also Solr et Lucene should use the same version, luceneMatchVersion should be updated in solrconfig.xml
+ pluginLibsCompile 'org.apache.lucene:lucene-core:8.9.0'
+ pluginLibsCompile 'org.apache.lucene:lucene-queryparser:8.9.0'
+ pluginLibsCompile 'org.apache.lucene:lucene-analyzers-common:8.9.0'
}
diff --git a/lucene/src/main/java/org/apache/ofbiz/content/search/SearchWorker.java b/lucene/src/main/java/org/apache/ofbiz/content/search/SearchWorker.java
index bb50c63..04d33ad 100644
--- a/lucene/src/main/java/org/apache/ofbiz/content/search/SearchWorker.java
+++ b/lucene/src/main/java/org/apache/ofbiz/content/search/SearchWorker.java
@@ -41,7 +41,7 @@ public final class SearchWorker {
public static final String module = SearchWorker.class.getName();
- private static final Version LUCENE_VERSION = Version.LUCENE_8_5_2;
+ private static final Version LUCENE_VERSION = Version.LUCENE_8_9_0;
private SearchWorker() {}
diff --git a/solr/build.gradle b/solr/build.gradle
index cee21e1..c02184e 100644
--- a/solr/build.gradle
+++ b/solr/build.gradle
@@ -19,7 +19,7 @@
dependencies {
// Remember to change the version number in SearchWorker class when upgrading.
// Also Solr et Lucene should use the same version, luceneMatchVersion should be updated in solrconfig.xml
- pluginLibsCompile 'org.apache.solr:solr-core:8.5.2'
+ pluginLibsCompile 'org.apache.solr:solr-core:8.9.0'
pluginLibsCompile 'com.google.guava:guava:28.0-jre'
}
diff --git a/solr/home/solrdefault/conf/solrconfig.xml b/solr/home/solrdefault/conf/solrconfig.xml
index 3100cc5..11f1099 100644
--- a/solr/home/solrdefault/conf/solrconfig.xml
+++ b/solr/home/solrdefault/conf/solrconfig.xml
@@ -16,9 +16,9 @@
limitations under the License.
-->
-<!--
+<!--
For more details about configurations options that may appear in
- this file, see http://wiki.apache.org/solr/SolrConfigXml.
+ this file, see http://wiki.apache.org/solr/SolrConfigXml.
-->
<config>
<!-- In all configuration below, a prefix of "solr." for class names
@@ -35,7 +35,7 @@
that you fully re-index after changing this setting as it can
affect both how text is indexed and queried.
-->
- <luceneMatchVersion>8.5.2</luceneMatchVersion>
+ <luceneMatchVersion>8.9.0</luceneMatchVersion>
<!-- <lib/> directives can be used to instruct Solr to load any Jars
identified and use them to resolve any "plugins" specified in
@@ -46,19 +46,19 @@
instanceDir.
Please note that <lib/> directives are processed in the order
- that they appear in your solrconfig.xml file, and are "stacked"
- on top of each other when building a ClassLoader - so if you have
- plugin jars with dependencies on other jars, the "lower level"
+ that they appear in your solrconfig.xml file, and are "stacked"
+ on top of each other when building a ClassLoader - so if you have
+ plugin jars with dependencies on other jars, the "lower level"
dependency jars should be loaded first.
If a "./lib" directory exists in your instanceDir, all files
found in it are included as if you had used the following
syntax...
-
+
<lib dir="./lib" />
-->
- <!-- A 'dir' option by itself adds any files found in the directory
+ <!-- A 'dir' option by itself adds any files found in the directory
to the classpath, this is useful for including all jars in a
directory.
@@ -69,10 +69,10 @@
If a 'dir' option (with or without a regex) is used and nothing
is found that matches, a warning will be logged.
- The examples below can be used to load some solr-contribs along
+ The examples below can be used to load some solr-contribs along
with their external dependencies.
-->
- <!--
+ <!--
<lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib" regex=".*\.jar" />
<lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-cell-\d.*\.jar" />
@@ -86,14 +86,14 @@
<lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-velocity-\d.*\.jar" />
-->
- <!-- an exact 'path' can be used instead of a 'dir' to specify a
- specific jar file. This will cause a serious error to be logged
+ <!-- an exact 'path' can be used instead of a 'dir' to specify a
+ specific jar file. This will cause a serious error to be logged
if it can't be loaded.
-->
<!--
- <lib path="../a-jar-that-does-not-exist.jar" />
+ <lib path="../a-jar-that-does-not-exist.jar" />
-->
-
+
<!-- Data Directory
Used to specify an alternate directory to hold all index data
@@ -105,7 +105,7 @@
<!-- The DirectoryFactory to use for indexes.
-
+
solr.StandardDirectoryFactory is filesystem
based and tries to pick the best implementation for the current
JVM and platform. solr.NRTCachingDirectoryFactory, the default,
@@ -118,7 +118,7 @@
solr.RAMDirectoryFactory is memory based, not
persistent, and doesn't work with replication.
-->
- <directoryFactory name="DirectoryFactory"
+ <directoryFactory name="DirectoryFactory"
class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/>
<!-- The CodecFactory for defining the format of the inverted index.
@@ -133,24 +133,29 @@
<codecFactory class="solr.SchemaCodecFactory"/>
<!-- To enable dynamic schema REST APIs, use the following for <schemaFactory>:
-
+
<schemaFactory class="ManagedIndexSchemaFactory">
<bool name="mutable">true</bool>
<str name="managedSchemaResourceName">managed-schema</str>
</schemaFactory>
-
+
When ManagedIndexSchemaFactory is specified, Solr will load the schema from
the resource named in 'managedSchemaResourceName', rather than from schema.xml.
Note that the managed schema resource CANNOT be named schema.xml. If the managed
schema does not exist, Solr will create it after reading schema.xml, then rename
- 'schema.xml' to 'schema.xml.bak'.
-
+<<<<<<< HEAD
+ 'schema.xml' to 'schema.xml.bak'.
+
+=======
+ 'schema.xml' to 'schema.xml.bak'.
+
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
Do NOT hand edit the managed schema - external modifications will be ignored and
overwritten as a result of schema modification REST API calls.
When ManagedIndexSchemaFactory is specified with mutable = true, schema
modification REST API calls will be allowed; otherwise, error responses will be
- sent back for these requests.
+ sent back for these requests.
-->
<schemaFactory class="ClassicIndexSchemaFactory"/>
@@ -158,19 +163,19 @@
Index Config - These settings control low-level behavior of indexing
Most example settings here show the default value, but are commented
out, to more easily see where customizations have been made.
-
+
Note: This replaces <indexDefaults> and <mainIndex> from older versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<indexConfig>
- <!-- maxFieldLength was removed in 4.0. To get similar behavior, include a
- LimitTokenCountFilterFactory in your fieldType definition. E.g.
+ <!-- maxFieldLength was removed in 4.0. To get similar behavior, include a
+ LimitTokenCountFilterFactory in your fieldType definition. E.g.
<filter class="solr.LimitTokenCountFilterFactory" maxTokenCount="10000"/>
-->
<!-- Maximum time to wait for a write lock (ms) for an IndexWriter. Default: 1000 -->
<!-- <writeLockTimeout>1000</writeLockTimeout> -->
- <!-- Expert: Enabling compound file will use less files for the index,
- using fewer file descriptors on the expense of performance decrease.
+ <!-- Expert: Enabling compound file will use less files for the index,
+ using fewer file descriptors on the expense of performance decrease.
Default in Lucene is "true". Default in Solr is "false" (since 3.6) -->
<!-- <useCompoundFile>false</useCompoundFile> -->
@@ -185,7 +190,7 @@
<!-- <ramBufferSizeMB>100</ramBufferSizeMB> -->
<!-- <maxBufferedDocs>1000</maxBufferedDocs> -->
- <!-- Expert: Merge Policy
+ <!-- Expert: Merge Policy
The Merge Policy in Lucene controls how merging of segments is done.
The default since Solr/Lucene 3.3 is TieredMergePolicy.
The default since Lucene 2.3 was the LogByteSizeMergePolicy,
@@ -198,7 +203,7 @@
<double name="noCFSRatio">0.1</double>
</mergePolicy>
-->
-
+
<!-- Merge Factor
The merge factor controls how many segments will get merged at a time.
For TieredMergePolicy, mergeFactor is a convenience parameter which
@@ -207,7 +212,7 @@
will be allowed before they are merged into one.
Default is 10 for both merge policies.
-->
- <!--
+ <!--
<mergeFactor>10</mergeFactor>
-->
@@ -217,15 +222,15 @@
can perform merges in the background using separate threads.
The SerialMergeScheduler (Lucene 2.2 default) does not.
-->
- <!--
+ <!--
<mergeScheduler class="org.apache.lucene.index.ConcurrentMergeScheduler"/>
-->
- <!-- LockFactory
+ <!-- LockFactory
This option specifies which Lucene LockFactory implementation
to use.
-
+
single = SingleInstanceLockFactory - suggested for a
read-only index or when there is no possibility of
another process trying to modify the index.
@@ -249,11 +254,11 @@
The default Solr IndexDeletionPolicy implementation supports
deleting index commit points on number of commits, age of
commit point and optimized status.
-
+
The latest commit point should always be preserved regardless
of the criteria.
-->
- <!--
+ <!--
<deletionPolicy class="solr.SolrDeletionPolicy">
-->
<!-- The number of commit points to be kept -->
@@ -268,12 +273,12 @@
<str name="maxCommitAge">30MINUTES</str>
<str name="maxCommitAge">1DAY</str>
-->
- <!--
+ <!--
</deletionPolicy>
-->
<!-- Lucene Infostream
-
+
To aid in advanced debugging, Lucene provides an "InfoStream"
of detailed information when indexing.
@@ -286,7 +291,7 @@
<!-- JMX
-
+
This example enables JMX if and only if an existing MBeanServer
is found, use this if you want to configure JMX through JVM
parameters. Remove this to disable exposing Solr configuration
@@ -296,7 +301,7 @@
-->
<jmx />
<!-- If you want to connect to a particular server, specify the
- agentId
+ agentId
-->
<!-- <jmx agentId="myAgent" /> -->
<!-- If you want to start a new MBeanServer, specify the serviceUrl -->
@@ -323,12 +328,12 @@
<str name="dir">${solr.ulog.dir:}</str>
<int name="numVersionBuckets">${solr.ulog.numVersionBuckets:65536}</int>
</updateLog>
-
+
<!-- AutoCommit
Perform a hard commit automatically under certain conditions.
Instead of enabling autoCommit, consider using "commitWithin"
- when adding documents.
+ when adding documents.
http://wiki.apache.org/solr/UpdateXmlMessages
@@ -337,7 +342,7 @@
maxTime - Maximum amount of time in ms that is allowed to pass
since a document was added before automatically
- triggering a new commit.
+ triggering a new commit.
openSearcher - if false, the commit causes recent index changes
to be flushed to stable storage, but does not cause a new
searcher to be opened to make those changes visible.
@@ -345,9 +350,9 @@
If the updateLog is enabled, then it's highly recommended to
have some sort of hard autoCommit to limit the log size.
-->
- <autoCommit>
- <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
- <openSearcher>false</openSearcher>
+ <autoCommit>
+ <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
+ <openSearcher>false</openSearcher>
</autoCommit>
<!-- softAutoCommit is like autoCommit except it causes a
@@ -356,12 +361,12 @@
faster and more near-realtime friendly than a hard commit.
-->
- <autoSoftCommit>
- <maxTime>${solr.autoSoftCommit.maxTime:-1}</maxTime>
+ <autoSoftCommit>
+ <maxTime>${solr.autoSoftCommit.maxTime:-1}</maxTime>
</autoSoftCommit>
<!-- Update Related Event Listeners
-
+
Various IndexWriter related events can trigger Listeners to
take actions.
@@ -370,10 +375,10 @@
-->
<!-- The RunExecutableListener executes an external command from a
hook such as postCommit or postOptimize.
-
+
exe - the name of the executable to run
dir - dir to use as the current working directory. (default=".")
- wait - the calling thread waits until the executable returns.
+ wait - the calling thread waits until the executable returns.
(default="true")
args - the arguments to pass to the program. (default is none)
env - environment variables to set. (default is none)
@@ -393,7 +398,7 @@
-->
</updateHandler>
-
+
<!-- IndexReaderFactory
Use the following format to specify a custom IndexReaderFactory,
@@ -432,24 +437,29 @@
is thrown if exceeded.
** WARNING **
-
+
This option actually modifies a global Lucene property that
will affect all SolrCores. If multiple solrconfig.xml files
disagree on this property, the value at any given moment will
be based on the last SolrCore to be initialized.
-
+
-->
<maxBooleanClauses>1024</maxBooleanClauses>
-
+
<!-- Slow Query Threshold (in millis)
-
- At high request rates, logging all requests can become a bottleneck
+<<<<<<< HEAD
+
+ At high request rates, logging all requests can become a bottleneck
+=======
+
+ At high request rates, logging all requests can become a bottleneck
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
and therefore INFO logging is often turned off. However, it is still
useful to be able to set a latency threshold above which a request
is considered "slow" and log that request at WARN level so we can
easily identify slow queries.
- -->
+ -->
<slowQueryThresholdMillis>-1</slowQueryThresholdMillis>
@@ -457,7 +467,7 @@
There are two implementations of cache available for Solr,
LRUCache, based on a synchronized LinkedHashMap, and
- FastLRUCache, based on a ConcurrentHashMap.
+ FastLRUCache, based on a ConcurrentHashMap.
FastLRUCache has faster gets and slower puts in single
threaded operation and thus is generally faster than LRUCache
@@ -482,7 +492,7 @@
initialSize - the initial capacity (number of entries) of
the cache. (see java.util.HashMap)
autowarmCount - the number of entries to prepopulate from
- and old cache.
+ and old cache.
-->
<filterCache class="solr.FastLRUCache"
size="512"
@@ -501,19 +511,24 @@
size="512"
initialSize="512"
autowarmCount="0"/>
-
+
<!-- Document Cache
Caches Lucene Document objects (the stored fields for each
document). Since Lucene internal document ids are transient,
- this cache will not be autowarmed.
+ this cache will not be autowarmed.
-->
<documentCache class="solr.LRUCache"
size="512"
initialSize="512"
autowarmCount="0"/>
-
- <!-- custom cache currently used by block join -->
+<<<<<<< HEAD
+
+ <!-- custom cache currently used by block join -->
+=======
+
+ <!-- custom cache currently used by block join -->
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
<cache name="perSegFilter"
class="solr.search.LRUCache"
size="10"
@@ -522,7 +537,7 @@
regenerator="solr.NoOpRegenerator" />
<!-- Field Value Cache
-
+
Cache used to hold field values that are quickly accessible
by document id. The fieldValueCache is created by default
even if not configured here.
@@ -540,8 +555,8 @@
name through SolrIndexSearcher.getCache(),cacheLookup(), and
cacheInsert(). The purpose is to enable easy caching of
user/application level data. The regenerator argument should
- be specified as an implementation of solr.CacheRegenerator
- if autowarming is desired.
+ be specified as an implementation of solr.CacheRegenerator
+ if autowarming is desired.
-->
<!--
<cache name="myUserCache"
@@ -588,12 +603,12 @@
are collected. For example, if a search for a particular query
requests matching documents 10 through 19, and queryWindowSize is 50,
then documents 0 through 49 will be collected and cached. Any further
- requests in that range can be satisfied via the cache.
+ requests in that range can be satisfied via the cache.
-->
<queryResultWindowSize>20</queryResultWindowSize>
<!-- Maximum number of documents to cache for any entry in the
- queryResultCache.
+ queryResultCache.
-->
<queryResultMaxDocsCached>200</queryResultMaxDocsCached>
@@ -611,10 +626,10 @@
prepared but there is no current registered searcher to handle
requests or to gain autowarming data from.
-
+
-->
<!-- QuerySenderListener takes an array of NamedList and executes a
- local query request for each NamedList in sequence.
+ local query request for each NamedList in sequence.
-->
<listener event="newSearcher" class="solr.QuerySenderListener">
<arr name="queries">
@@ -642,7 +657,7 @@
<useColdSearcher>false</useColdSearcher>
<!-- Max Warming Searchers
-
+
Maximum number of searchers that may be warming in the
background concurrently. An error is returned if this limit
is exceeded.
@@ -664,7 +679,7 @@
such as /select?qt=XXX
handleSelect="true" will cause the SolrDispatchFilter to process
- the request and dispatch the query to a handler specified by the
+ the request and dispatch the query to a handler specified by the
"qt" param, assuming "/select" isn't already registered.
handleSelect="false" will cause the SolrDispatchFilter to
@@ -686,26 +701,26 @@
multipartUploadLimitInKB - specifies the max size (in KiB) of
Multipart File Uploads that Solr will allow in a Request.
-
+
formdataUploadLimitInKB - specifies the max size (in KiB) of
form data (application/x-www-form-urlencoded) sent via
POST. You can use POST to pass request parameters not
fitting into the URL.
-
+
addHttpRequestToContext - if set to true, it will instruct
the requestParsers to include the original HttpServletRequest
- object in the context map of the SolrQueryRequest under the
+ object in the context map of the SolrQueryRequest under the
key "httpRequest". It will not be used by any of the existing
- Solr components, but may be useful when developing custom
+ Solr components, but may be useful when developing custom
plugins.
-
+
*** WARNING ***
The settings below authorize Solr to fetch remote files, You
should make sure your system has some authentication before
using enableRemoteStreaming="true"
- -->
- <requestParsers enableRemoteStreaming="true"
+ -->
+ <requestParsers enableRemoteStreaming="true"
multipartUploadLimitInKB="2048000"
formdataUploadLimitInKB="2048"
addHttpRequestToContext="false"/>
@@ -721,21 +736,21 @@
<!-- If you include a <cacheControl> directive, it will be used to
generate a Cache-Control header (as well as an Expires header
if the value contains "max-age=")
-
+
By default, no Cache-Control header is generated.
-
+
You can use the <cacheControl> option even if you have set
never304="true"
-->
<!--
<httpCaching never304="true" >
- <cacheControl>max-age=30, public</cacheControl>
+ <cacheControl>max-age=30, public</cacheControl>
</httpCaching>
-->
<!-- To enable Solr to respond with automatically generated HTTP
Caching headers, and to response to Cache Validation requests
correctly, set the value of never304="false"
-
+
This will cause Solr to generate Last-Modified and ETag
headers based on the properties of the Index.
@@ -760,12 +775,12 @@
<!--
<httpCaching lastModifiedFrom="openTime"
etagSeed="Solr">
- <cacheControl>max-age=30, public</cacheControl>
+ <cacheControl>max-age=30, public</cacheControl>
</httpCaching>
-->
</requestDispatcher>
- <!-- Request Handlers
+ <!-- Request Handlers
http://wiki.apache.org/solr/SolrRequestHandler
@@ -916,8 +931,13 @@
- <!-- A Robust Example
-
+<<<<<<< HEAD
+ <!-- A Robust Example
+
+=======
+ <!-- A Robust Example
+
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
This example SearchHandler declaration shows off usage of the
SearchHandler with many defaults declared
@@ -998,14 +1018,14 @@
<!-- Spell checking defaults -->
<str name="spellcheck">on</str>
- <str name="spellcheck.extendedResults">false</str>
+ <str name="spellcheck.extendedResults">false</str>
<str name="spellcheck.count">5</str>
<str name="spellcheck.alternativeTermCount">2</str>
- <str name="spellcheck.maxResultsForSuggest">5</str>
+ <str name="spellcheck.maxResultsForSuggest">5</str>
<str name="spellcheck.collate">true</str>
- <str name="spellcheck.collateExtendedResults">true</str>
+ <str name="spellcheck.collateExtendedResults">true</str>
<str name="spellcheck.maxCollationTries">5</str>
- <str name="spellcheck.maxCollations">3</str>
+ <str name="spellcheck.maxCollations">3</str>
</lst>
<!-- append spellchecking to our list of components -->
@@ -1048,10 +1068,10 @@
<!-- Solr Cell Update Request Handler
- http://wiki.apache.org/solr/ExtractingRequestHandler
+ http://wiki.apache.org/solr/ExtractingRequestHandler
-->
- <requestHandler name="/update/extract"
+ <requestHandler name="/update/extract"
startup="lazy"
class="solr.extraction.ExtractingRequestHandler" >
<lst name="defaults">
@@ -1084,7 +1104,7 @@
field value analysis will be marked as "matched" for every
token that is produces by the query analysis
-->
- <requestHandler name="/analysis/field"
+ <requestHandler name="/analysis/field"
startup="lazy"
class="solr.FieldAnalysisRequestHandler" />
@@ -1117,34 +1137,34 @@
request parameter that holds the query text to be analyzed. It
also supports the "analysis.showmatch" parameter which when set to
true, all field tokens that match the query tokens will be marked
- as a "match".
+ as a "match".
-->
- <requestHandler name="/analysis/document"
- class="solr.DocumentAnalysisRequestHandler"
+ <requestHandler name="/analysis/document"
+ class="solr.DocumentAnalysisRequestHandler"
startup="lazy" />
<!-- Echo the request contents back to the client -->
<requestHandler name="/debug/dump" class="solr.DumpRequestHandler" >
<lst name="defaults">
- <str name="echoParams">explicit</str>
+ <str name="echoParams">explicit</str>
<str name="echoHandler">true</str>
</lst>
</requestHandler>
-
+
<!-- Search Components
- Search components are registered to SolrCore and used by
+ Search components are registered to SolrCore and used by
instances of SearchHandler (which can access them by name)
-
+
By default, the following components are available:
-
+
<searchComponent name="query" class="solr.QueryComponent" />
<searchComponent name="facet" class="solr.FacetComponent" />
<searchComponent name="mlt" class="solr.MoreLikeThisComponent" />
<searchComponent name="highlight" class="solr.HighlightComponent" />
<searchComponent name="stats" class="solr.StatsComponent" />
<searchComponent name="debug" class="solr.DebugComponent" />
-
+
Default configuration in a requestHandler would look like:
<arr name="components">
@@ -1156,28 +1176,33 @@
<str>debug</str>
</arr>
- If you register a searchComponent to one of the standard names,
+ If you register a searchComponent to one of the standard names,
that will be used instead of the default.
To insert components before or after the 'standard' components, use:
-
+
<arr name="first-components">
<str>myFirstComponentName</str>
</arr>
-
+
<arr name="last-components">
<str>myLastComponentName</str>
</arr>
NOTE: The component registered with the name "debug" will
- always be executed after the "last-components"
-
+<<<<<<< HEAD
+ always be executed after the "last-components"
+
+=======
+ always be executed after the "last-components"
+
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
-->
-
+
<!-- Spell Check
The spell check component can return a list of alternative spelling
- suggestions.
+ suggestions.
http://wiki.apache.org/solr/SpellCheckComponent
-->
@@ -1212,11 +1237,11 @@
<float name="thresholdTokenFrequency">.01</float>
-->
</lst>
-
+
<!-- a spellchecker that can break or combine words. See "/spell" handler below for usage -->
<lst name="spellchecker">
<str name="name">wordbreak</str>
- <str name="classname">solr.WordBreakSolrSpellChecker</str>
+ <str name="classname">solr.WordBreakSolrSpellChecker</str>
<str name="field">name</str>
<str name="combineWords">true</str>
<str name="breakWords">true</str>
@@ -1235,7 +1260,7 @@
</lst>
-->
- <!-- a spellchecker that use an alternate comparator
+ <!-- a spellchecker that use an alternate comparator
comparatorClass be one of:
1. score (default)
@@ -1261,8 +1286,13 @@
</lst>
-->
</searchComponent>
-
- <!-- A request handler for demonstrating the spellcheck component.
+<<<<<<< HEAD
+
+ <!-- A request handler for demonstrating the spellcheck component.
+=======
+
+ <!-- A request handler for demonstrating the spellcheck component.
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
NOTE: This is purely as an example. The whole purpose of the
SpellCheckComponent is to hook it into the request handler that
@@ -1271,7 +1301,7 @@
IN OTHER WORDS, THERE IS REALLY GOOD CHANCE THE SETUP BELOW IS
NOT WHAT YOU WANT FOR YOUR PRODUCTION SYSTEM!
-
+
See http://wiki.apache.org/solr/SpellCheckComponent for details
on the request parameters.
-->
@@ -1284,33 +1314,38 @@
<str name="spellcheck.dictionary">default</str>
<str name="spellcheck.dictionary">wordbreak</str>
<str name="spellcheck">on</str>
- <str name="spellcheck.extendedResults">true</str>
+ <str name="spellcheck.extendedResults">true</str>
<str name="spellcheck.count">10</str>
<str name="spellcheck.alternativeTermCount">5</str>
- <str name="spellcheck.maxResultsForSuggest">5</str>
+ <str name="spellcheck.maxResultsForSuggest">5</str>
<str name="spellcheck.collate">true</str>
- <str name="spellcheck.collateExtendedResults">true</str>
+ <str name="spellcheck.collateExtendedResults">true</str>
<str name="spellcheck.maxCollationTries">10</str>
- <str name="spellcheck.maxCollations">5</str>
+ <str name="spellcheck.maxCollations">5</str>
</lst>
<arr name="last-components">
<str>spellcheck</str>
</arr>
</requestHandler>
- <!-- The SuggestComponent in Solr provides users with automatic suggestions for query terms.
+ <!-- The SuggestComponent in Solr provides users with automatic suggestions for query terms.
You can use this to implement a powerful auto-suggest feature in your search application.
As with the rest of this solrconfig.xml file, the configuration of this component is purely
- an example that applies specifically to this configset and example documents.
-
+<<<<<<< HEAD
+ an example that applies specifically to this configset and example documents.
+
+=======
+ an example that applies specifically to this configset and example documents.
+
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
More information about this component and other configuration options are described in the
- "Suggester" section of the reference guide available at
+ "Suggester" section of the reference guide available at
http://archive.apache.org/dist/lucene/solr/ref-guide
-->
<searchComponent name="suggest" class="solr.SuggestComponent">
<lst name="suggester">
<str name="name">mySuggester</str>
- <str name="lookupImpl">FuzzyLookupFactory</str>
+ <str name="lookupImpl">FuzzyLookupFactory</str>
<str name="dictionaryImpl">DocumentDictionaryFactory</str>
<str name="field">cat</str>
<str name="weightField">price</str>
@@ -1319,7 +1354,7 @@
</lst>
</searchComponent>
- <requestHandler name="/suggest" class="solr.SearchHandler"
+ <requestHandler name="/suggest" class="solr.SearchHandler"
startup="lazy" >
<lst name="defaults">
<str name="suggest">true</str>
@@ -1341,8 +1376,8 @@
This is purely as an example.
- In reality you will likely want to add the component to your
- already specified request handlers.
+ In reality you will likely want to add the component to your
+ already specified request handlers.
-->
<requestHandler name="/tvrh" class="solr.SearchHandler" startup="lazy">
<lst name="defaults">
@@ -1383,11 +1418,11 @@
-->
<str name="carrot.algorithm">org.carrot2.clustering.lingo.LingoClusteringAlgorithm</str>
- <!-- Override location of the clustering algorithm's resources
+ <!-- Override location of the clustering algorithm's resources
(attribute definitions and lexical resources).
A directory from which to load algorithm-specific stop words,
- stop labels and attribute definition XMLs.
+ stop labels and attribute definition XMLs.
For an overview of Carrot2 lexical resources, see:
http://download.carrot2.org/head/manual/#chapter.lexical-resources
@@ -1415,8 +1450,8 @@
This is purely as an example.
- In reality you will likely want to add the component to your
- already specified request handlers.
+ In reality you will likely want to add the component to your
+ already specified request handlers.
-->
<requestHandler name="/clustering"
startup="lazy"
@@ -1451,7 +1486,7 @@
<str>clustering</str>
</arr>
</requestHandler>
-
+
<!-- Terms Component
http://wiki.apache.org/solr/TermsComponent
@@ -1466,7 +1501,7 @@
<lst name="defaults">
<bool name="terms">true</bool>
<bool name="distrib">false</bool>
- </lst>
+ </lst>
<arr name="components">
<str>terms</str>
</arr>
@@ -1505,7 +1540,7 @@
<highlighting>
<!-- Configure the standard fragmenter -->
<!-- This could most likely be commented out in the "default" case -->
- <fragmenter name="gap"
+ <fragmenter name="gap"
default="true"
class="solr.highlight.GapFragmenter">
<lst name="defaults">
@@ -1513,10 +1548,10 @@
</lst>
</fragmenter>
- <!-- A regular-expression-based fragmenter
- (for sentence extraction)
+ <!-- A regular-expression-based fragmenter
+ (for sentence extraction)
-->
- <fragmenter name="regex"
+ <fragmenter name="regex"
class="solr.highlight.RegexFragmenter">
<lst name="defaults">
<!-- slightly smaller fragsizes work better because of slop -->
@@ -1529,7 +1564,7 @@
</fragmenter>
<!-- Configure the standard formatter -->
- <formatter name="html"
+ <formatter name="html"
default="true"
class="solr.highlight.HtmlFormatter">
<lst name="defaults">
@@ -1539,27 +1574,27 @@
</formatter>
<!-- Configure the standard encoder -->
- <encoder name="html"
+ <encoder name="html"
class="solr.highlight.HtmlEncoder" />
<!-- Configure the standard fragListBuilder -->
- <fragListBuilder name="simple"
+ <fragListBuilder name="simple"
class="solr.highlight.SimpleFragListBuilder"/>
-
+
<!-- Configure the single fragListBuilder -->
- <fragListBuilder name="single"
+ <fragListBuilder name="single"
class="solr.highlight.SingleFragListBuilder"/>
-
+
<!-- Configure the weighted fragListBuilder -->
- <fragListBuilder name="weighted"
+ <fragListBuilder name="weighted"
default="true"
class="solr.highlight.WeightedFragListBuilder"/>
-
+
<!-- default tag FragmentsBuilder -->
- <fragmentsBuilder name="default"
+ <fragmentsBuilder name="default"
default="true"
class="solr.highlight.ScoreOrderFragmentsBuilder">
- <!--
+ <!--
<lst name="defaults">
<str name="hl.multiValuedSeparatorChar">/</str>
</lst>
@@ -1567,7 +1602,7 @@
</fragmentsBuilder>
<!-- multi-colored tag FragmentsBuilder -->
- <fragmentsBuilder name="colored"
+ <fragmentsBuilder name="colored"
class="solr.highlight.ScoreOrderFragmentsBuilder">
<lst name="defaults">
<str name="hl.tag.pre"><![CDATA[
@@ -1579,8 +1614,13 @@
<str name="hl.tag.post"><![CDATA[</b>]]></str>
</lst>
</fragmentsBuilder>
-
- <boundaryScanner name="default"
+<<<<<<< HEAD
+
+ <boundaryScanner name="default"
+=======
+
+ <boundaryScanner name="default"
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
default="true"
class="solr.highlight.SimpleBoundaryScanner">
<lst name="defaults">
@@ -1588,8 +1628,13 @@
<str name="hl.bs.chars">.,!? 	 </str>
</lst>
</boundaryScanner>
-
- <boundaryScanner name="breakIterator"
+<<<<<<< HEAD
+
+ <boundaryScanner name="breakIterator"
+=======
+
+ <boundaryScanner name="breakIterator"
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
class="solr.highlight.BreakIteratorBoundaryScanner">
<lst name="defaults">
<!-- type should be one of CHARACTER, WORD(default), LINE and SENTENCE -->
@@ -1611,15 +1656,20 @@
http://wiki.apache.org/solr/UpdateRequestProcessor
- -->
+ -->
<!-- Deduplication
An example dedup update processor that creates the "id" field
on the fly based on the hash code of some other fields. This
example has overwriteDupes set to false since we are using the
id field as the signatureField and Solr will maintain
- uniqueness based on that anyway.
-
+<<<<<<< HEAD
+ uniqueness based on that anyway.
+
+=======
+ uniqueness based on that anyway.
+
+>>>>>>> ff03ec24 (Fixed: The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905) (OFBIZ-12316))
-->
<!--
<updateRequestProcessorChain name="dedupe">
@@ -1634,7 +1684,7 @@
<processor class="solr.RunUpdateProcessorFactory" />
</updateRequestProcessorChain>
-->
-
+
<!-- Language identification
This example update chain identifies the language of the incoming
@@ -1674,7 +1724,7 @@
<processor class="solr.RunUpdateProcessorFactory" />
</updateRequestProcessorChain>
-->
-
+
<!-- Response Writers
http://wiki.apache.org/solr/QueryResponseWriter
@@ -1690,7 +1740,7 @@
overridden...
-->
<!--
- <queryResponseWriter name="xml"
+ <queryResponseWriter name="xml"
default="true"
class="solr.XMLResponseWriter" />
<queryResponseWriter name="json" class="solr.JSONResponseWriter"/>
@@ -1709,18 +1759,18 @@
-->
<str name="content-type">text/plain; charset=UTF-8</str>
</queryResponseWriter>
-
+
<!--
Custom response writers can be declared as needed...
-->
<queryResponseWriter name="velocity" class="solr.VelocityResponseWriter" startup="lazy">
<str name="template.base.dir">${velocity.template.base.dir:}</str>
</queryResponseWriter>
-
+
<!-- XSLT response writer transforms the XML output by any xslt file found
in Solr's conf/xslt directory. Changes to xslt files are checked for
- every xsltCacheLifetimeSeconds.
+ every xsltCacheLifetimeSeconds.
-->
<queryResponseWriter name="xslt" class="solr.XSLTResponseWriter">
<int name="xsltCacheLifetimeSeconds">5</int>
@@ -1748,11 +1798,11 @@
-->
<!-- example of registering a custom function parser -->
<!--
- <valueSourceParser name="myfunc"
+ <valueSourceParser name="myfunc"
class="com.mycompany.MyValueSourceParser" />
-->
-
-
+
+
<!-- Document Transformers
http://wiki.apache.org/solr/DocTransformers
-->
@@ -1761,12 +1811,12 @@
<transformer name="db" class="com.mycompany.LoadFromDatabaseTransformer" >
<int name="connection">jdbc://....</int>
</transformer>
-
+
To add a constant value to all docs, use:
<transformer name="mytrans2" class="org.apache.solr.response.transform.ValueAugmenterFactory" >
<int name="value">5</int>
</transformer>
-
+
If you want the user to still be able to change it with _value:something_ use this:
<transformer name="mytrans3" class="org.apache.solr.response.transform.ValueAugmenterFactory" >
<double name="defaultValue">5</double>
@@ -1776,7 +1826,7 @@
EditorialMarkerFactory will do exactly that:
<transformer name="qecBooster" class="org.apache.solr.response.transform.EditorialMarkerFactory" />
-->
-
+
<!-- Legacy config for the admin interface -->
<admin>
diff --git a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
index fbefcb2..96e8c27 100644
--- a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
+++ b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
@@ -58,7 +58,7 @@ import org.apache.solr.servlet.SolrDispatchFilter;
public class OFBizSolrContextFilter extends SolrDispatchFilter {
public static final String module = OFBizSolrContextFilter.class.getName();
-
+
private static final String resource = "SolrUiLabels";
/**
@@ -82,7 +82,7 @@ public class OFBizSolrContextFilter extends SolrDispatchFilter {
// check if the request is from an authorized user
String servletPath = httpRequest.getServletPath();
- if (UtilValidate.isNotEmpty(servletPath) && (servletPath.startsWith("/admin/") || servletPath.endsWith("/update")
+ if (UtilValidate.isNotEmpty(servletPath) && (servletPath.startsWith("/admin/") || servletPath.endsWith("/update")
|| servletPath.endsWith("/update/json") || servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract")
|| servletPath.endsWith("/replication") || servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {
HttpSession session = httpRequest.getSession();
@@ -133,7 +133,7 @@ public class OFBizSolrContextFilter extends SolrDispatchFilter {
}
}
}
-
+
String charset = request.getCharacterEncoding();
String rname = null;
if (httpRequest.getRequestURI() != null) {
@@ -169,15 +169,46 @@ public class OFBizSolrContextFilter extends SolrDispatchFilter {
try {
nodeConfig = loadNodeConfig(solrHome, extraProperties);
} catch (SolrException e) {
-// nodeConfig = loadNodeConfig("plugins/solr/home", extraProperties);
Path path = Paths.get("plugins/solr/home");
nodeConfig = loadNodeConfig(path, extraProperties);
}
- cores = new CoreContainer(nodeConfig, extraProperties, true);
+ // Following is a (justified) rant!
+ // The API at
+ // https://solr.apache.org/docs/8_9_0/solr-core/org/apache/solr/core/CoreContainer.html#CoreContainer-org.apache.solr.core.NodeConfig-
+ // is not up to date (ie wrong!).
+ //
+ // For instance the methods
+ // CoreContainer(Path solrHome, Properties properties)
+ // CoreContainer(NodeConfig config, boolean asyncSolrCoreLoad)
+ // no longer exist.
+ //
+ // So you would thought
+ // "Better refer to the real CoreContainer class using your IDE"
+ //
+ // Wrong, try
+ // cores = new CoreContainer(nodeConfig, extraProperties);
+ // for instance.
+ // You get error: incompatible types: Properties cannot be converted to CoresLocator
+ // You may also try
+ // cores = new CoreContainer(nodeConfig, extraProperties, true);
+ // Then you get a bit more information:
+ // error: no suitable constructor found for CoreContainer(NodeConfig,Properties)
+ // cores = new CoreContainer(nodeConfig, extraProperties);
+ // ^
+ // constructor CoreContainer.CoreContainer(Path,Properties) is not applicable
+ // (argument mismatch; NodeConfig cannot be converted to Path)
+ // constructor CoreContainer.CoreContainer(NodeConfig,boolean) is not applicable
+ // (argument mismatch; Properties cannot be converted to boolean)
+ // constructor CoreContainer.CoreContainer(NodeConfig,CoresLocator) is not applicable
+ // (argument mismatch; Properties cannot be converted to CoresLocator)
+ //
+ // As I'm not a Solr developer I did not dig deeper (was already deep enough)
+ // And this keeps it as simple as possible. Solr works in OFBiz so hopefully it's the right thing!
+ cores = new CoreContainer(nodeConfig);
cores.load();
return cores;
}
-
+
private void sendJsonHeaderMessage(HttpServletRequest httpRequest, HttpServletResponse httpResponse, GenericValue userLogin, String notLoginMessage, String noPermissionMessage, Locale locale) throws IOException {
httpResponse.setContentType("application/json");
MapToJSON mapToJson = new MapToJSON();
@@ -185,7 +216,7 @@ public class OFBizSolrContextFilter extends SolrDispatchFilter {
JSON json;
String message = "";
OutputStream os = null;
-
+
try {
os = httpResponse.getOutputStream();
if (UtilValidate.isEmpty(userLogin)) {