lucene-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rm...@apache.org
Subject [lucene-solr] branch master updated: SOLR-13982: set security-related http response headers by default
Date Tue, 03 Dec 2019 11:17:12 GMT
This is an automated email from the ASF dual-hosted git repository.

rmuir pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/master by this push:
     new c8c9c10  SOLR-13982: set security-related http response headers by default
c8c9c10 is described below

commit c8c9c1002353db3b8a4d89d21849bf67bc4f0931
Author: Robert Muir <rmuir@apache.org>
AuthorDate: Tue Dec 3 06:12:33 2019 -0500

    SOLR-13982: set security-related http response headers by default
    
    Unfortunately, as a first start this is very weak protection against
    e.g. XSS.  This is because some 'unsafe-xxx' rules must be present due
    to the insecurity of angular JS: Until SOLR-13987 is fixed, XSS & co are
    still easy.
---
 solr/CHANGES.txt          |  4 ++++
 solr/server/etc/jetty.xml | 41 ++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 96dfc4d..24d0c5d 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -110,6 +110,10 @@ Upgrade Notes
 * SOLR-13817: Deprecate legacy SolrCache implementations. Users are encouraged to transition
their
   configurations to use org.apache.solr.search.CaffeineCache instead. (ab)
 
+* SOLR-13982: Some security-related http headers such as Content-Security-Policy are now
set. If you have custom html served
+  up by Solr's http server that contains inline javascript, it will no longer execute in
modern browsers. You can fix your JS
+  code to not run inline anymore, or edit etc/jetty.xml and weaken the CSP, or remove/alter
the headers with a reverse proxy. (rmuir)
+
 New Features
 ---------------------
 * SOLR-13821: A Package store to store and load package artifacts (noble, Ishan Chattopadhyaya)
diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index 1f6de77..0a0172a 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -82,13 +82,52 @@
   </New>
 
     <!-- =========================================================== -->
-    <!-- RewriteHandle to redirect root to Solr                      -->
+    <!-- RewriteHandle to set headers, redirect root to Solr         -->
     <!-- =========================================================== -->
      <New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
       <Set name="rewriteRequestURI">true</Set>
       <Set name="rewritePathInfo">false</Set>
       <Set name="originalPathAttribute">requestedPath</Set>
 
+      <!-- security-related headers -->
+      <Call name="addRule">
+        <Arg>
+          <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+            <Set name="pattern">*</Set>
+            <Set name="name">Content-Security-Policy</Set>
+            <Set name="value">default-src 'none'; base-uri 'none'; form-action 'self';
frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval';
img-src 'self'; media-src 'self'; font-src 'self'; connect-src 'self';</Set>
+          </New>
+        </Arg>
+      </Call>
+      <Call name="addRule">
+        <Arg>
+          <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+            <Set name="pattern">*</Set>
+            <Set name="name">X-Content-Type-Options</Set>
+            <Set name="value">nosniff</Set>
+          </New>
+        </Arg>
+      </Call>
+      <Call name="addRule">
+        <Arg>
+          <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+            <Set name="pattern">*</Set>
+            <Set name="name">X-Frame-Options</Set>
+            <Set name="value">SAMEORIGIN</Set>
+          </New>
+        </Arg>
+      </Call>
+      <Call name="addRule">
+        <Arg>
+          <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+            <Set name="pattern">*</Set>
+            <Set name="name">X-XSS-Protection</Set>
+            <Set name="value">1; mode=block</Set>
+          </New>
+        </Arg>
+      </Call>
+
+      <!-- redirect root to solr -->
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.RedirectRegexRule">


Mime
View raw message