You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-dev@lucene.apache.org by "Paul Lovvik (JIRA)" <ji...@apache.org> on 2009/02/21 00:21:02 UTC
[jira] Created: (SOLR-1031) XSS vulnerability in schema.jsp (patch
included)
XSS vulnerability in schema.jsp (patch included)
------------------------------------------------
Key: SOLR-1031
URL: https://issues.apache.org/jira/browse/SOLR-1031
Project: Solr
Issue Type: Bug
Components: web gui
Affects Versions: 1.3, 1.2
Reporter: Paul Lovvik
If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
The javascript will appear in the "Top Terms" part of the UI.
I have created a simple patch to prevent this problem from occurring.
Hmmm... I apparently can't attach the patch, so here is the patch text:
Index: src/webapp/web/admin/schema.jsp
===================================================================
--- src/webapp/web/admin/schema.jsp (revision 746406)
+++ src/webapp/web/admin/schema.jsp (working copy)
@@ -490,14 +490,10 @@
var numTerms = 0;
$.each(topTerms, function(term, count) {
- var row = document.createElement('tr');
- var c1 = document.createElement('td');
- c1.innerHTML=term;
- var c2 = document.createElement('td');
- c2.innerHTML=count;
- row.appendChild(c1);
- row.appendChild(c2);
- tbody.appendChild(row);
+ var c1 = $('<td>').text(term);
+ var c2 = $('<td>').text(count);
+ var row = $('<tr>').append(c1).append(c2);
+ tbody.appendChild(row.get(0));
numTerms++;
});
tbl.appendChild(tbody);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SOLR-1031) XSS vulnerability in schema.jsp (patch
included)
Posted by "Erik Hatcher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Erik Hatcher updated SOLR-1031:
-------------------------------
Fix Version/s: 1.4
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Fix For: 1.4
>
> Attachments: SchemaXSS.patch, SOLR-1031.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SOLR-1031) XSS vulnerability in schema.jsp (patch
included)
Posted by "Paul Lovvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lovvik updated SOLR-1031:
------------------------------
Description:
If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
The javascript will appear in the "Top Terms" part of the UI.
I have created a simple patch to prevent this problem from occurring.
was:
If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
The javascript will appear in the "Top Terms" part of the UI.
I have created a simple patch to prevent this problem from occurring.
Hmmm... I apparently can't attach the patch, so here is the patch text:
Index: src/webapp/web/admin/schema.jsp
===================================================================
--- src/webapp/web/admin/schema.jsp (revision 746406)
+++ src/webapp/web/admin/schema.jsp (working copy)
@@ -490,14 +490,10 @@
var numTerms = 0;
$.each(topTerms, function(term, count) {
- var row = document.createElement('tr');
- var c1 = document.createElement('td');
- c1.innerHTML=term;
- var c2 = document.createElement('td');
- c2.innerHTML=count;
- row.appendChild(c1);
- row.appendChild(c2);
- tbody.appendChild(row);
+ var c1 = $('<td>').text(term);
+ var c2 = $('<td>').text(count);
+ var row = $('<tr>').append(c1).append(c2);
+ tbody.appendChild(row.get(0));
numTerms++;
});
tbl.appendChild(tbody);
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SOLR-1031) XSS vulnerability in schema.jsp
(patch included)
Posted by "Peter Wolanin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12675524#action_12675524 ]
Peter Wolanin commented on SOLR-1031:
-------------------------------------
To add a little more background - I ran into this bug while doing work on our Drupal integration module. It's easy to demonstrate, and basically happens if a script is indexed in an unprocessed or untokenized field (e.g. a string field) and shows up as one of the top terms on the schema browser page (schema.jsp) when one goes to examine a particular field.
The risk of allowing such script to execute cold include modification or deletion of the index, as well as other XSS attacks, and the danger of a small JS payload is potentially enhanced by the fact that is could probably use jQuery functions like jQuery.post().
For the Drupal module we are mitigating this risk by using the PHP strip_tags() function prior to indexing content, but it seems liek this is something Solr should handle more generally.
I first observed the bug in Solr 1.3, and it's still present in trunk (1.4)
Re-posting Paul's patch with the preferred naming.
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch, SOLR-1031.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SOLR-1031) XSS vulnerability in schema.jsp (patch
included)
Posted by "Peter Wolanin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Wolanin updated SOLR-1031:
--------------------------------
Attachment: SOLR-1031.patch
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch, SOLR-1031.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (SOLR-1031) XSS vulnerability in
schema.jsp (patch included)
Posted by "Peter Wolanin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12675524#action_12675524 ]
pwolanin edited comment on SOLR-1031 at 2/20/09 6:07 PM:
--------------------------------------------------------------
To add a little more background - I ran into this bug while doing work on our Drupal integration module. It's easy to demonstrate, and basically happens if a script is indexed in an unprocessed or untokenized field (e.g. a string field) and shows up as one of the top terms on the schema browser page (schema.jsp) when one goes to examine a particular field.
The risk of allowing such script to execute could include modification or deletion of the index, as well as other XSS attacks, and the danger of a small JS payload is potentially enhanced by the fact that is could probably use jQuery functions like jQuery.post().
For the Drupal module we are mitigating this risk by using the PHP strip_tags() function prior to indexing content, but it seems liek this is something Solr should handle more generally.
I first observed the bug in Solr 1.3, and it's still present in trunk (1.4)
Re-posting Paul's patch with the preferred naming.
was (Author: pwolanin):
To add a little more background - I ran into this bug while doing work on our Drupal integration module. It's easy to demonstrate, and basically happens if a script is indexed in an unprocessed or untokenized field (e.g. a string field) and shows up as one of the top terms on the schema browser page (schema.jsp) when one goes to examine a particular field.
The risk of allowing such script to execute cold include modification or deletion of the index, as well as other XSS attacks, and the danger of a small JS payload is potentially enhanced by the fact that is could probably use jQuery functions like jQuery.post().
For the Drupal module we are mitigating this risk by using the PHP strip_tags() function prior to indexing content, but it seems liek this is something Solr should handle more generally.
I first observed the bug in Solr 1.3, and it's still present in trunk (1.4)
Re-posting Paul's patch with the preferred naming.
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch, SOLR-1031.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SOLR-1031) XSS vulnerability in schema.jsp
(patch included)
Posted by "Peter Wolanin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12675526#action_12675526 ]
Peter Wolanin commented on SOLR-1031:
-------------------------------------
Drupal ships with a little JS function for sanitizing output (works like the PHP function htmlspecialchars($text, ENT_QUOTES) ). Possibly you could add something similar if the text() function doesn't give the desired output:
{code:javascript}
/**
* Encode special characters in a plain-text string for display as HTML.
*/
Drupal.checkPlain = function(str) {
str = String(str);
var replace = { '&': '&', '"': '"', '<': '<', '>': '>' };
for (var character in replace) {
var regex = new RegExp(character, 'g');
str = str.replace(regex, replace[character]);
}
return str;
};
{code}
http://php.net/htmlspecialchars
http://cvs.drupal.org/viewvc.py/drupal/drupal/misc/drupal.js?revision=1.50&view=markup
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch, SOLR-1031.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SOLR-1031) XSS vulnerability in schema.jsp (patch
included)
Posted by "Paul Lovvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lovvik updated SOLR-1031:
------------------------------
Attachment: SchemaXSS.patch
Here is the patch.
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
> Hmmm... I apparently can't attach the patch, so here is the patch text:
> Index: src/webapp/web/admin/schema.jsp
> ===================================================================
> --- src/webapp/web/admin/schema.jsp (revision 746406)
> +++ src/webapp/web/admin/schema.jsp (working copy)
> @@ -490,14 +490,10 @@
>
> var numTerms = 0;
> $.each(topTerms, function(term, count) {
> - var row = document.createElement('tr');
> - var c1 = document.createElement('td');
> - c1.innerHTML=term;
> - var c2 = document.createElement('td');
> - c2.innerHTML=count;
> - row.appendChild(c1);
> - row.appendChild(c2);
> - tbody.appendChild(row);
> + var c1 = $('<td>').text(term);
> + var c2 = $('<td>').text(count);
> + var row = $('<tr>').append(c1).append(c2);
> + tbody.appendChild(row.get(0));
> numTerms++;
> });
> tbl.appendChild(tbody);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SOLR-1031) XSS vulnerability in schema.jsp (patch
included)
Posted by "Erik Hatcher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Erik Hatcher resolved SOLR-1031.
--------------------------------
Resolution: Fixed
patch applied, tested, and committed. thanks, Paul and Peter!
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch, SOLR-1031.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.