[SOLR-14663] ConfigSets CREATE does not set trusted flag - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 8.6.3, 8.7, 9.0
Component/s: None
Labels:
None

Description

If I upload a configset using ConfigSets API UPLOAD Solr sets the trusted flag. The config set will be trusted if authentication is enabled and the upload operation is performed as an authenticated request.

On the other hand if I use the ConfigSets API CREATE which creates a new configset based on an already uploaded one, this flag will not be set, so the configset will be effectively untrusted.

I don't really understand the difference here, I think CREATE API call should set this flag just like UPLOAD sets it.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SOLR-14663.patch
17/Jul/20 15:09
6 kB
Andras Salamon
SOLR-14663.patch
01/Oct/20 21:07
21 kB
Tomas Eduardo Fernandez Lobbe

Issue Links

fixes

SOLR-14925 CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented

Closed

Activity

People

Assignee:: Tomas Eduardo Fernandez Lobbe

Reporter:: Andras Salamon

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 17/Jul/20 15:08

Updated:: 04/Mar/21 04:54

Resolved:: 07/Oct/20 03:56