lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Muir (Jira)" <>
Subject [jira] [Commented] (SOLR-13993) sandbox velocity template render
Date Wed, 04 Dec 2019 02:23:00 GMT


Robert Muir commented on SOLR-13993:

I attached a patch with a starter sandbox. I tweaked Erik's testcase (thank you) to be a little
more benign, and test something that the rest of solr code can do, but velocity can't.

The velocity stuff runs with a lot less privileges now than the rest of solr code. The main
downside is that it still has read access to all files. I'm fairly certain it just needs access
to the classpath, so that should really be refined. But classloaders are complicated, gotta
start somewhere, and this is a hell of a lot less than what is in the solr policy file.

> sandbox velocity template render
> --------------------------------
>                 Key: SOLR-13993
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>         Attachments: SOLR-13993.patch, SOLR-13993.patch
> This thing seems dangerous :)
> Making the whole solr secure is a whole nother thing: (see e.g. SOLR-13991 and we haven't
even gotten started). Its pretty difficult to convert whole large app to work securely. It
is going to take time.
> In the meantime, if we have things that might do something dangerous, and security manager
is enabled, we can put them into a special little sandbox and throw away the key: for example
we can intentionally discard permissions we don't need so they can't launch stuff, if we really
don't trust them, we can start filtering what classes classloader will load.
> This isn't that crazy at all to do, e.g. your web browser does similar tricks to try
to sandbox specific parts that might do something unexpected and cause security issue.

This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message