lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-4882) Restrict SolrResourceLoader to only classloader accessible files and instance dir
Date Mon, 02 Dec 2013 14:18:36 GMT

     [ https://issues.apache.org/jira/browse/SOLR-4882?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Uwe Schindler updated SOLR-4882:
--------------------------------

    Labels: security  (was: )

> Restrict SolrResourceLoader to only classloader accessible files and instance dir
> ---------------------------------------------------------------------------------
>
>                 Key: SOLR-4882
>                 URL: https://issues.apache.org/jira/browse/SOLR-4882
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 4.3
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>              Labels: security
>             Fix For: 4.6, 5.0
>
>         Attachments: SOLR-4882.patch, SOLR-4882.patch, SOLR-4882.patch
>
>
> SolrResourceLoader currently allows to load files from any absolute/CWD-relative path,
which is used as a fallback if the resource cannot be looked up via the class loader.
> We should limit this fallback to sub-dirs below the instanceDir passed into the ctor.
The CWD special case should be removed, too (the virtual CWD is instance's config or root
dir).
> The reason for this is security related. Some Solr components allow to pass in resource
paths via REST parameters (e.g. XSL stylesheets, velocity templates,...) and load them via
resource loader. By this it is possible to limit the whole thing to
> not allow loading e.g. /etc/passwd as a stylesheet.
> In 4.4 we should add a solrconfig.xml setting to enable the old behaviour, but disable
it by default, if your existing installation requires the files from outside the instance
dir which are not available via the URLClassLoader used internally. In Lucene 5.0 we should
not support this anymore.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message