Solr
  1. Solr
  2. SOLR-4882

Restrict SolrResourceLoader to only classloader accessible files and instance dir

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.3
    • Fix Version/s: 4.6, Trunk
    • Component/s: None
    • Labels:

      Description

      SolrResourceLoader currently allows to load files from any absolute/CWD-relative path, which is used as a fallback if the resource cannot be looked up via the class loader.

      We should limit this fallback to sub-dirs below the instanceDir passed into the ctor. The CWD special case should be removed, too (the virtual CWD is instance's config or root dir).

      The reason for this is security related. Some Solr components allow to pass in resource paths via REST parameters (e.g. XSL stylesheets, velocity templates,...) and load them via resource loader. By this it is possible to limit the whole thing to
      not allow loading e.g. /etc/passwd as a stylesheet.

      In 4.4 we should add a solrconfig.xml setting to enable the old behaviour, but disable it by default, if your existing installation requires the files from outside the instance dir which are not available via the URLClassLoader used internally. In Lucene 5.0 we should not support this anymore.

      1. SOLR-4882.patch
        14 kB
        Uwe Schindler
      2. SOLR-4882.patch
        12 kB
        Uwe Schindler
      3. SOLR-4882.patch
        10 kB
        Uwe Schindler

        Issue Links

          Activity

          Uwe Schindler made changes -
          Comment [ I had to backport SOLR-3648 (fix Velocity template loading in SolrCloud mode), too. Otherwise it did not work. ]
          Uwe Schindler made changes -
          Attachment SOLR-4882-fix.patch [ 12618093 ]
          Uwe Schindler made changes -
          Attachment SOLR-4882-fix.patch [ 12618094 ]
          Uwe Schindler made changes -
          Attachment SOLR-4882-fix.patch [ 12618094 ]
          Uwe Schindler made changes -
          Attachment SOLR-4882-fix.patch [ 12618093 ]
          Uwe Schindler made changes -
          Labels security
          Uwe Schindler made changes -
          Link This issue is required by SOLR-5520 [ SOLR-5520 ]
          Uwe Schindler made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 4.6 [ 12325000 ]
          Fix Version/s 4.5 [ 12324743 ]
          Resolution Fixed [ 1 ]
          Uwe Schindler made changes -
          Attachment SOLR-4882.patch [ 12604396 ]
          Steve Rowe made changes -
          Fix Version/s 4.5 [ 12324743 ]
          Fix Version/s 4.4 [ 12324324 ]
          Uwe Schindler made changes -
          Description SolrResourceLoader currently allows to load files from any absolute/CWD-relative path, which is used as a fallback if the resource cannot be looked up via the class loader.

          We should limit this fallback to sub-dirs below the instanceDir passed into the ctor. The CWD special case should be removed, too (the virtual CWD is instance's config or root dir).

          The reason for this is security related. Some Solr components allow to pass in resource paths via REST parameters (e.g. XSL stalesheets,...) and load them via resource loader. By this it is possible to limit the whole thing to
          not allow loading e.g. /etc/passwd as a stylesheet.

          In 4.4 we should add a solrconfig.xml setting to enable the old behaviour, but disable it by default, if your existing installation requires the files from outside the instance dir which are not available via the URLClassLoader used internally. In Lucene 5.0 we should not support this anymore.
          SolrResourceLoader currently allows to load files from any absolute/CWD-relative path, which is used as a fallback if the resource cannot be looked up via the class loader.

          We should limit this fallback to sub-dirs below the instanceDir passed into the ctor. The CWD special case should be removed, too (the virtual CWD is instance's config or root dir).

          The reason for this is security related. Some Solr components allow to pass in resource paths via REST parameters (e.g. XSL stylesheets, velocity templates,...) and load them via resource loader. By this it is possible to limit the whole thing to
          not allow loading e.g. /etc/passwd as a stylesheet.

          In 4.4 we should add a solrconfig.xml setting to enable the old behaviour, but disable it by default, if your existing installation requires the files from outside the instance dir which are not available via the URLClassLoader used internally. In Lucene 5.0 we should not support this anymore.
          Uwe Schindler made changes -
          Attachment SOLR-4882.patch [ 12585618 ]
          Uwe Schindler made changes -
          Attachment SOLR-4882.patch [ 12585644 ]
          Uwe Schindler made changes -
          Attachment SOLR-4882.patch [ 12585618 ]
          Uwe Schindler made changes -
          Field Original Value New Value
          Attachment SOLR-4882.patch [ 12585600 ]
          Uwe Schindler created issue -

            People

            • Assignee:
              Uwe Schindler
              Reporter:
              Uwe Schindler
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development