lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <>
Subject [jira] [Updated] (SOLR-4882) Restrict SolrResourceLoader to only classloader accessible files and instance dir
Date Tue, 10 Dec 2013 20:10:08 GMT


Uwe Schindler updated SOLR-4882:

    Attachment: SOLR-4882-fix.patch

I had to backport SOLR-3648 (fix Velocity template loading in SolrCloud mode), too. Otherwise
it did not work.

> Restrict SolrResourceLoader to only classloader accessible files and instance dir
> ---------------------------------------------------------------------------------
>                 Key: SOLR-4882
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 4.3
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>              Labels: security
>             Fix For: 4.6, 5.0
>         Attachments: SOLR-4882-fix.patch, SOLR-4882.patch, SOLR-4882.patch, SOLR-4882.patch
> SolrResourceLoader currently allows to load files from any absolute/CWD-relative path,
which is used as a fallback if the resource cannot be looked up via the class loader.
> We should limit this fallback to sub-dirs below the instanceDir passed into the ctor.
The CWD special case should be removed, too (the virtual CWD is instance's config or root
> The reason for this is security related. Some Solr components allow to pass in resource
paths via REST parameters (e.g. XSL stylesheets, velocity templates,...) and load them via
resource loader. By this it is possible to limit the whole thing to
> not allow loading e.g. /etc/passwd as a stylesheet.
> In 4.4 we should add a solrconfig.xml setting to enable the old behaviour, but disable
it by default, if your existing installation requires the files from outside the instance
dir which are not available via the URLClassLoader used internally. In Lucene 5.0 we should
not support this anymore.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message