lucene-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From is...@apache.org
Subject [1/2] lucene-solr:branch_7_3: SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing
Date Sun, 06 May 2018 17:45:13 GMT
Repository: lucene-solr
Updated Branches:
  refs/heads/branch_7_3 7b74345ed -> ae0705edb


SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml
and schema parsing


Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/6c4e45e2
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/6c4e45e2
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/6c4e45e2

Branch: refs/heads/branch_7_3
Commit: 6c4e45e28494d4d4d04fb89852d18c86fa3d5f84
Parents: 7b74345
Author: Uwe Schindler <uschindler@apache.org>
Authored: Sun May 6 14:21:34 2018 +0200
Committer: Ishan Chattopadhyaya <ishan@apache.org>
Committed: Sun May 6 23:13:43 2018 +0530

----------------------------------------------------------------------
 solr/CHANGES.txt                                 |  6 +++++-
 .../org/apache/solr/util/SystemIdResolver.java   | 14 ++++----------
 .../apache/solr/util/TestSystemIdResolver.java   | 19 +++++++++++++++++--
 3 files changed, 26 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/CHANGES.txt
----------------------------------------------------------------------
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 87c999d..bb908d4 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -36,7 +36,8 @@ Bug Fixes
 
 * SOLR-12256: Fixed some eventual-consistency issues with collection aliases by using ZooKeeper.sync().
(David Smiley)
 
-* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down
state (Cao Manh Dat)
+* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down

+  state (Cao Manh Dat)
 
 * SOLR-12146: LIR should skip deleted replicas (Cao Manh Dat)
 
@@ -50,6 +51,9 @@ Bug Fixes
 
 * SOLR-12202: Fix errors in solr-exporter.cmd. (Minoru Osuka via koji)
 
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml
and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 ==================  7.3.0 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java b/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
index 6fda14f..c208520 100644
--- a/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
+++ b/solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
@@ -16,9 +16,6 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
@@ -26,7 +23,6 @@ import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@ import javax.xml.stream.XMLStreamException;
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public final class SystemIdResolver implements EntityResolver, EntityResolver2
{
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId)
throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public final class SystemIdResolver implements EntityResolver, EntityResolver2
{
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only
relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to
default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: "
+ systemId, use);
     }
   }
 

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6c4e45e2/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
index 7980a59..4c2677d 100644
--- a/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
+++ b/solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
@@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public class TestSystemIdResolver extends LuceneTestCase {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"),
"crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute,
the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath
or"));
   }
 
 }


Mime
View raw message