Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
9.0
-
None
-
Steps to reproduce
- Use a Linux machine.
- Build commit ea2c8ba of Solr as described in the section below.
- Build the films collection as described below.
- Start the server using the command ./bin/solr start -f -p 8983 -s /tmp/home
- Request the URL given in the bug description.
Compiling the server
git clone https://github.com/apache/lucene-solr cd lucene-solr git checkout ea2c8ba ant compile cd solr ant server
Building the collection
We followed Exercise 2 from the Solr Tutorial. The attached file (home.zip) gives the contents of folder /tmp/home that you will obtain by following the steps below:
mkdir -p /tmp/home echo '<?xml version="1.0" encoding="UTF-8" ?><solr></solr>' > /tmp/home/solr.xml
In one terminal start a Solr instance in foreground:
./bin/solr start -f -p 8983 -s /tmp/home
In another terminal, create a collection of movies, with no shards and no replication, and initialize it:
bin/solr create -c films curl -X POST -H 'Content-type:application/json' --data-binary '{"add-field": {"name":"name", "type":"text_general", "multiValued":false, "stored":true}}' http://localhost:8983/solr/films/schema curl -X POST -H 'Content-type:application/json' --data-binary '{"add-copy-field" : {"source":"*","dest":"_text_"}}' http://localhost:8983/solr/films/schema ./bin/post -c films example/films/films.json
Steps to reproduce Use a Linux machine. Build commit ea2c8ba of Solr as described in the section below. Build the films collection as described below. Start the server using the command ./bin/solr start -f -p 8983 -s /tmp/home Request the URL given in the bug description. Compiling the server git clone https://github.com/apache/lucene-solr cd lucene-solr git checkout ea2c8ba ant compile cd solr ant server Building the collection We followed Exercise 2 from the Solr Tutorial . The attached file ( home.zip ) gives the contents of folder /tmp/home that you will obtain by following the steps below: mkdir -p /tmp/home echo '<?xml version="1.0" encoding="UTF-8" ?><solr></solr>' > /tmp/home/solr.xml In one terminal start a Solr instance in foreground: ./bin/solr start -f -p 8983 -s /tmp/home In another terminal, create a collection of movies, with no shards and no replication, and initialize it: bin/solr create -c films curl -X POST -H 'Content-type:application/json' --data-binary '{"add-field": {"name":"name", "type":"text_general", "multiValued":false, "stored":true}}' http://localhost:8983/solr/films/schema curl -X POST -H 'Content-type:application/json' --data-binary '{"add-copy-field" : {"source":"*","dest":"_text_"}}' http://localhost:8983/solr/films/schema ./bin/post -c films example/films/films.json
Description
Requesting the following URL causes Solr to return an HTTP 500 error response:
http://localhost:8983/solr/films/select?defType=complexphrase&q.op=AND
The error response seems to be caused by the following uncaught exception:
java.lang.NullPointerException at java.io.StringReader.<init>(StringReader.java:50) at org.apache.lucene.queryparser.classic.QueryParserBase.parse(QueryParserBase.java:106) at org.apache.lucene.queryparser.complexPhrase.ComplexPhraseQueryParser.parse(ComplexPhraseQueryParser.java:125) at org.apache.solr.search.ComplexPhraseQParserPlugin$ComplexPhraseQParser.parse(ComplexPhraseQParserPlugin.java:164) at org.apache.solr.search.QParser.getQuery(QParser.java:173) at org.apache.solr.handler.component.QueryComponent.prepare(QueryComponent.java:158) [...]
What happens here is that a querystring (qstr) is passed into a StringReader. Ultimately, this query string comes from the method o.a.s.h.c.QueryComponent, in method prepare (line 157), where it is extracted using rb.queryString() [rb is of type responseBuffer]. The query string stored in the response buffer was earlier on extracted from the request URL by looking for the "q" parameter; note that this parameter is absent in the example request, so qstr would be null. The extracted qstr is then passed to QParser.getParser, which expects a non-null query string.
We found this bug using Diffblue Microservices Testing. Find more information on this fuzz testing campaign.