Description
Requesting the following URL causes Solr to return an HTTP 500 error response:
http://localhost:8983/solr/films/schema/%25
The error response seems to be caused by the following uncaught exception:
java.lang.NullPointerException at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:403) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:340) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [...]
Function SolrDisplatchFilter.doFilter(), line 403 calls methods forward() on a null pointer. The problem happens because ServletRequestWrapper.getRequestDispatcher(), line 338 returns null. And that happens because org.eclipse.jetty.server.handler.ContextHandler.Context.getRequestDispatcher() returns a null pointer. This happens because org.eclipse.jetty.http.HttpURI.getDecodedPath() tries to decode the string /solr/films/schema/%, which is an invalid encoding.
I don’t fully follow the logic of the code but it seems that the percent-encoding of the URL has first been decoded and then it’s being decoded again?
We found this bug using Diffblue Microservices Testing. Find more information on this fuzz testing campaign.
Steps to reproduce
- Use a Linux machine.
- Build commit ea2c8ba of Solr as described in the section below.
- Build the films collection as described below.
- Start the server using the command ./bin/solr start -f -p 8983 -s /tmp/home
- Request the URL given in the bug description.
Compiling the server
git clone https://github.com/apache/lucene-solr cd lucene-solr git checkout ea2c8ba ant compile cd solr ant server
Building the collection
We followed Exercise 2 from the Solr Tutorial. The attached file (home.zip) gives the contents of folder /tmp/home that you will obtain by following the steps below:
mkdir -p /tmp/home echo '<?xml version="1.0" encoding="UTF-8" ?><solr></solr>' > /tmp/home/solr.xml
In one terminal start a Solr instance in foreground:
./bin/solr start -f -p 8983 -s /tmp/home
In another terminal, create a collection of movies, with no shards and no replication, and initialize it:
bin/solr create -c films curl -X POST -H 'Content-type:application/json' --data-binary '{"add-field": {"name":"name", "type":"text_general", "multiValued":false, "stored":true}}' http://localhost:8983/solr/films/schema curl -X POST -H 'Content-type:application/json' --data-binary '{"add-copy-field" : {"source":"*","dest":"_text_"}}' http://localhost:8983/solr/films/schema ./bin/post -c films example/films/films.json