You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ds...@apache.org on 2012/03/26 06:04:02 UTC
svn commit: r1305212 - in /lucene/dev/branches/branch_3x/solr: CHANGES.txt
core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java
core/src/test-files/solr/conf/solrconfig.xml
core/src/test/org/apache/solr/request/TestRemoteStreaming.java
Author: dsmiley
Date: Mon Mar 26 04:04:02 2012
New Revision: 1305212
URL: http://svn.apache.org/viewvc?rev=1305212&view=rev
Log:
SOLR-3161 limit qt=/... (leading /) to refer to a SearchHandler for safety
Modified:
lucene/dev/branches/branch_3x/solr/CHANGES.txt
lucene/dev/branches/branch_3x/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java
lucene/dev/branches/branch_3x/solr/core/src/test-files/solr/conf/solrconfig.xml
lucene/dev/branches/branch_3x/solr/core/src/test/org/apache/solr/request/TestRemoteStreaming.java
Modified: lucene/dev/branches/branch_3x/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_3x/solr/CHANGES.txt?rev=1305212&r1=1305211&r2=1305212&view=diff
==============================================================================
--- lucene/dev/branches/branch_3x/solr/CHANGES.txt (original)
+++ lucene/dev/branches/branch_3x/solr/CHANGES.txt Mon Mar 26 04:04:02 2012
@@ -47,6 +47,9 @@ Upgrading from Solr 3.5
configuring /select as is done in the example solrconfig.xml, and register your other search
handlers with a leading '/' which is a recommended practice. (David Smiley, Erik Hatcher)
+* SOLR-3161: Don't use the 'qt' parameter with a leading '/'. It probably won't work in 4.0
+ and it's now limited in 3.6 to SearchHandler subclasses that aren't lazy-loaded.
+
New Features
----------------------
* SOLR-2020: Add Java client that uses Apache Http Components http client (4.x).
Modified: lucene/dev/branches/branch_3x/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_3x/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java?rev=1305212&r1=1305211&r2=1305212&view=diff
==============================================================================
--- lucene/dev/branches/branch_3x/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java (original)
+++ lucene/dev/branches/branch_3x/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java Mon Mar 26 04:04:02 2012
@@ -26,6 +26,8 @@ import java.io.ByteArrayInputStream;
import java.nio.charset.Charset;
import java.util.Map;
import java.util.WeakHashMap;
+
+import org.apache.solr.handler.component.SearchHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;
@@ -226,6 +228,11 @@ public class SolrDispatchFilter implemen
if( handler == null ) {
throw new SolrException( SolrException.ErrorCode.BAD_REQUEST, "unknown handler: "+qt);
}
+ if( qt != null && qt.startsWith("/") && !(handler instanceof SearchHandler)) {
+ //For security reasons it's a bad idea to allow a leading '/', ex: /select?qt=/update see SOLR-3161
+ //There was no restriction from Solr 1.4 thru 3.5 and it's now only supported for SearchHandlers.
+ throw new SolrException( SolrException.ErrorCode.BAD_REQUEST, "Invalid query type. Do not use /select to access: "+qt);
+ }
}
}
}
Modified: lucene/dev/branches/branch_3x/solr/core/src/test-files/solr/conf/solrconfig.xml
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_3x/solr/core/src/test-files/solr/conf/solrconfig.xml?rev=1305212&r1=1305211&r2=1305212&view=diff
==============================================================================
--- lucene/dev/branches/branch_3x/solr/core/src/test-files/solr/conf/solrconfig.xml (original)
+++ lucene/dev/branches/branch_3x/solr/core/src/test-files/solr/conf/solrconfig.xml Mon Mar 26 04:04:02 2012
@@ -496,6 +496,14 @@
</httpCaching>
</requestDispatcher>
+ <!-- Echo the request contents back to the client -->
+ <requestHandler name="/debug/dump" class="solr.DumpRequestHandler" >
+ <lst name="defaults">
+ <str name="echoParams">explicit</str>
+ <str name="echoHandler">true</str>
+ </lst>
+ </requestHandler>
+
<admin>
<defaultQuery>solr</defaultQuery>
<gettableFiles>solrconfig.xml scheam.xml admin-extra.html</gettableFiles>
Modified: lucene/dev/branches/branch_3x/solr/core/src/test/org/apache/solr/request/TestRemoteStreaming.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_3x/solr/core/src/test/org/apache/solr/request/TestRemoteStreaming.java?rev=1305212&r1=1305211&r2=1305212&view=diff
==============================================================================
--- lucene/dev/branches/branch_3x/solr/core/src/test/org/apache/solr/request/TestRemoteStreaming.java (original)
+++ lucene/dev/branches/branch_3x/solr/core/src/test/org/apache/solr/request/TestRemoteStreaming.java Mon Mar 26 04:04:02 2012
@@ -23,6 +23,7 @@ import org.apache.solr.client.solrj.Solr
import org.apache.solr.client.solrj.SolrServer;
import org.apache.solr.client.solrj.SolrServerException;
import org.apache.solr.client.solrj.impl.CommonsHttpSolrServer;
+import org.apache.solr.client.solrj.request.QueryRequest;
import org.apache.solr.client.solrj.response.QueryResponse;
import org.apache.solr.common.SolrInputDocument;
import org.apache.solr.util.ExternalPaths;
@@ -44,7 +45,8 @@ public class TestRemoteStreaming extends
@BeforeClass
public static void beforeTest() throws Exception {
- createJetty(ExternalPaths.EXAMPLE_HOME, null, null);
+ //this one has handleSelect=true which a test here needs
+ createJetty("solr/", null, null);
}
@Before
@@ -52,7 +54,7 @@ public class TestRemoteStreaming extends
//add document and commit, and ensure it's there
SolrServer server1 = getSolrServer();
SolrInputDocument doc = new SolrInputDocument();
- doc.addField( "id", "xxxx" );
+ doc.addField( "id", "1234" );
server1.add(doc);
server1.commit();
assertTrue(searchFindsIt());
@@ -71,7 +73,7 @@ public class TestRemoteStreaming extends
String getUrl = solrServer.getBaseURL()+"/debug/dump?wt=xml&stream.url="+URLEncoder.encode(streamUrl,"UTF-8");
String content = getUrlForString(getUrl);
- assertTrue(content.contains("xxxx"));
+ assertTrue(content.contains("1234"));
//System.out.println(content);
}
@@ -100,6 +102,29 @@ public class TestRemoteStreaming extends
assertTrue(searchFindsIt());//still there
}
+ /** SOLR-3161
+ * Technically stream.body isn't remote streaming, but there wasn't a better place for this test method. */
+ @Test(expected = SolrServerException.class)
+ public void testQtUpdateFails() throws SolrServerException {
+ SolrQuery query = new SolrQuery();
+ query.setQuery( "*:*" );//for anything
+ query.add("echoHandler","true");
+ //sneaky sneaky
+ query.add("qt","/update");
+ query.add("stream.body","<delete><query>*:*</query></delete>");
+
+ QueryRequest queryRequest = new QueryRequest(query) {
+ @Override
+ public String getPath() { //don't let superclass substitute qt for the path
+ return "/select";
+ }
+ };
+ QueryResponse rsp = queryRequest.process(getSolrServer());
+ //!! should *fail* above for security purposes
+ String handler = (String) rsp.getHeader().get("handler");
+ System.out.println(handler);
+ }
+
/** Compose a url that if you get it, it will delete all the data. */
private String makeDeleteAllUrl() throws UnsupportedEncodingException {
CommonsHttpSolrServer solrServer = (CommonsHttpSolrServer) getSolrServer();
@@ -109,7 +134,7 @@ public class TestRemoteStreaming extends
private boolean searchFindsIt() throws SolrServerException {
SolrQuery query = new SolrQuery();
- query.setQuery( "id:xxxx" );
+ query.setQuery( "id:1234" );
QueryResponse rsp = getSolrServer().query(query);
return rsp.getResults().getNumFound() != 0;
}