You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ja...@apache.org on 2022/03/04 22:59:09 UTC
[solr] branch branch_9x updated: SOLR-16075 ShowFile handler should validate that files param is strictly relative to instance dir in standalone mode (#725)
This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new a7ad826 SOLR-16075 ShowFile handler should validate that files param is strictly relative to instance dir in standalone mode (#725)
a7ad826 is described below
commit a7ad8265ea1a9971802e68b1014fc9fb960df3cf
Author: Jan Høydahl <ja...@users.noreply.github.com>
AuthorDate: Fri Mar 4 17:26:18 2022 +0100
SOLR-16075 ShowFile handler should validate that files param is strictly relative to instance dir in standalone mode (#725)
(cherry picked from commit 2479013589c6d056f5d0e83206d9880641117e00)
---
solr/CHANGES.txt | 2 ++
.../solr/handler/admin/ShowFileRequestHandler.java | 6 ++++++
.../handler/admin/ShowFileRequestHandlerTest.java | 23 ++++++++++++++++++++--
3 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index ee6390e..dfd062d 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -653,6 +653,8 @@ Bug Fixes
* SOLR-15968: Hide annoying WARN log from bin/solr zk command (janhoy, Mike Drob)
+* SOLR-16075: ShowFileHandler path parameter is now validated to be relative to instance conf dir in standalone mode (janhoy)
+
* SOLR-15558: Don't wait for zombie processes to exit when stopping. (Colvin Cowie)
* SOLR-16019: UTF-8 parsing errors for parameters should cause a HTTP 400 status code, not 500 (janhoy, Matthias Pigulla)
diff --git a/solr/core/src/java/org/apache/solr/handler/admin/ShowFileRequestHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/ShowFileRequestHandler.java
index 4747ff8..4e7e1b8 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/ShowFileRequestHandler.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/ShowFileRequestHandler.java
@@ -386,6 +386,12 @@ public class ShowFileRequestHandler extends RequestHandlerBase implements Permis
// A leading slash is unnecessary but supported and interpreted as start of config dir
Path filePath = configDir.resolve(fname.startsWith("/") ? fname.substring(1) : fname);
req.getCoreContainer().assertPathAllowed(filePath);
+ if (!filePath.normalize().startsWith(configDir.normalize())) {
+ log.error("Path must be inside core config directory");
+ rsp.setException(
+ new SolrException(ErrorCode.BAD_REQUEST, "Path must be inside core config directory"));
+ return null;
+ }
return filePath;
}
diff --git a/solr/core/src/test/org/apache/solr/handler/admin/ShowFileRequestHandlerTest.java b/solr/core/src/test/org/apache/solr/handler/admin/ShowFileRequestHandlerTest.java
index 2a06b99..7a133eb 100644
--- a/solr/core/src/test/org/apache/solr/handler/admin/ShowFileRequestHandlerTest.java
+++ b/solr/core/src/test/org/apache/solr/handler/admin/ShowFileRequestHandlerTest.java
@@ -24,6 +24,7 @@ import org.apache.solr.SolrJettyTestBase;
import org.apache.solr.client.solrj.ResponseParser;
import org.apache.solr.client.solrj.SolrClient;
import org.apache.solr.client.solrj.SolrServerException;
+import org.apache.solr.client.solrj.impl.BaseHttpSolrClient;
import org.apache.solr.client.solrj.impl.NoOpResponseParser;
import org.apache.solr.client.solrj.request.QueryRequest;
import org.apache.solr.client.solrj.response.QueryResponse;
@@ -154,15 +155,33 @@ public class ShowFileRequestHandlerTest extends SolrJettyTestBase {
public void testAbsoluteFilename() {
SolrClient client = getSolrClient();
- final QueryRequest request = new QueryRequest(params("file", "/etc/passwd"));
+ final QueryRequest request =
+ new QueryRequest(params("file", "/etc/passwd", "contentType", "text/plain; charset=utf-8"));
request.setPath("/admin/file"); // absolute path not allowed
request.setResponseParser(new NoOpResponseParser());
expectThrows(SolrException.class, () -> client.request(request));
}
+ public void testEscapeConfDir() {
+ SolrClient client = getSolrClient();
+ final QueryRequest request =
+ new QueryRequest(
+ params("file", "../../solr.xml", "contentType", "application/xml; charset=utf-8"));
+ request.setPath("/admin/file");
+ request.setResponseParser(new NoOpResponseParser());
+ var ex = expectThrows(SolrException.class, () -> client.request(request));
+ assertTrue(ex instanceof BaseHttpSolrClient.RemoteSolrException);
+ }
+
public void testPathTraversalFilename() {
SolrClient client = getSolrClient();
- final QueryRequest request = new QueryRequest(params("file", "../../../../../../etc/passwd"));
+ final QueryRequest request =
+ new QueryRequest(
+ params(
+ "file",
+ "../../../../../../etc/passwd",
+ "contentType",
+ "text/plain; charset=utf-8"));
request.setPath("/admin/file");
request.setResponseParser(new NoOpResponseParser());
expectThrows(SolrException.class, () -> client.request(request));