Solr
  1. Solr
  2. SOLR-7920

Thers is a xss issue in schema-browser page of Admin Web UI.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.9, 4.10.4, 5.2.1
    • Fix Version/s: 5.3
    • Component/s: web gui
    • Labels:
      None

      Description

      Open Solr Admin Web UI, select a core(such as collection1) and then click "schema-browse",and input a url like "http://127.0.0.1:8983/solr/#/collection1/schema-browser?field=cat=<img src=1 onerror=alert(1);>" to the browser address, you will get alert box with "1".

      I changed follow code to void this problem:
      Original code:
      $( 'option[value="' + params.route_params.path + '"]', related_select_element )
      .attr( 'selected', 'selected' );

      Changed code:
      $( 'option[value="' + params.route_params.path.esc() + '"]', related_select_element )
      .attr( 'selected', 'selected' );

        Activity

        Hide
        ASF subversion and git services added a comment -

        Commit 1696161 from Upayavira in branch 'dev/trunk'
        [ https://svn.apache.org/r1696161 ]

        SOLR-7920 XSS issue in old schema-browser page

        Show
        ASF subversion and git services added a comment - Commit 1696161 from Upayavira in branch 'dev/trunk' [ https://svn.apache.org/r1696161 ] SOLR-7920 XSS issue in old schema-browser page
        Hide
        ASF subversion and git services added a comment -

        Commit 1696162 from Upayavira in branch 'dev/branches/branch_5x'
        [ https://svn.apache.org/r1696162 ]

        SOLR-7920 XSS issue in old schema-browser page

        Show
        ASF subversion and git services added a comment - Commit 1696162 from Upayavira in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1696162 ] SOLR-7920 XSS issue in old schema-browser page
        Hide
        Upayavira added a comment -

        Thanks for the report!

        Show
        Upayavira added a comment - Thanks for the report!
        Hide
        Jan Høydahl added a comment -

        Upayavira did you consider committing to lucene_solr_5_3 branch as well? If it won't make it for 5.3.0 then at least 5.3.x

        Show
        Jan Høydahl added a comment - Upayavira did you consider committing to lucene_solr_5_3 branch as well? If it won't make it for 5.3.0 then at least 5.3.x
        Hide
        ASF subversion and git services added a comment -

        Commit 1696213 from Upayavira in branch 'dev/branches/lucene_solr_5_3'
        [ https://svn.apache.org/r1696213 ]

        SOLR-7920: Resolve XSS issue in old Schema Browser admin UI pane

        Show
        ASF subversion and git services added a comment - Commit 1696213 from Upayavira in branch 'dev/branches/lucene_solr_5_3' [ https://svn.apache.org/r1696213 ] SOLR-7920 : Resolve XSS issue in old Schema Browser admin UI pane
        Hide
        ASF subversion and git services added a comment -

        Commit 1696215 from Upayavira in branch 'dev/branches/branch_5x'
        [ https://svn.apache.org/r1696215 ]

        SOLR-7920: Update CHANGES.txt

        Show
        ASF subversion and git services added a comment - Commit 1696215 from Upayavira in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1696215 ] SOLR-7920 : Update CHANGES.txt
        Hide
        ASF subversion and git services added a comment -

        Commit 1696217 from Upayavira in branch 'dev/trunk'
        [ https://svn.apache.org/r1696217 ]

        SOLR-7920: Update CHANGES.txt

        Show
        ASF subversion and git services added a comment - Commit 1696217 from Upayavira in branch 'dev/trunk' [ https://svn.apache.org/r1696217 ] SOLR-7920 : Update CHANGES.txt
        Hide
        Upayavira added a comment -

        Jan Høydahl Done. However, there was no 5.3.1 section in CHANGES.txt, so I added it to the 5.4.0 section in that branch. I presume we'll fix that should 5.3.1 ever see the light of day.

        Show
        Upayavira added a comment - Jan Høydahl Done. However, there was no 5.3.1 section in CHANGES.txt, so I added it to the 5.4.0 section in that branch. I presume we'll fix that should 5.3.1 ever see the light of day.
        Hide
        Uwe Schindler added a comment -

        The new 5.3 snapshots were not yet created, but you commited to 5.3, so it should appear on 5.3.0 after respin of RC?

        Show
        Uwe Schindler added a comment - The new 5.3 snapshots were not yet created, but you commited to 5.3, so it should appear on 5.3.0 after respin of RC?
        Hide
        Upayavira added a comment -

        Uwe Schindler yes, I thought of that after doing it. I can revert - although, it is such a small change, in which case, the only fix required is to move the comment from the 5.4 section to the 5.3 one. Thoughts?

        Show
        Upayavira added a comment - Uwe Schindler yes, I thought of that after doing it. I can revert - although, it is such a small change, in which case, the only fix required is to move the comment from the 5.4 section to the 5.3 one. Thoughts?
        Hide
        Uwe Schindler added a comment -

        If Noble prepares a respin with that one, just move changes entries. If we don't release that in 5.3.0, you have to move the lucene_solr_5_3 branch, away from 5.3.0.

        For now I would set "Fix verson" to "5.3", too.

        Show
        Uwe Schindler added a comment - If Noble prepares a respin with that one, just move changes entries. If we don't release that in 5.3.0, you have to move the lucene_solr_5_3 branch, away from 5.3.0. For now I would set "Fix verson" to "5.3", too.
        Hide
        Jan Høydahl added a comment -

        Not my intention either to sneak this into the ongoing release. Now that it is there, as an extra verification I checked out and built the 5.3 branch, and manually verified that the schema browser works as expected, and that the xss is fixed.

        But of course, RM Noble Paul has the final word and the power to revert.

        Show
        Jan Høydahl added a comment - Not my intention either to sneak this into the ongoing release. Now that it is there, as an extra verification I checked out and built the 5.3 branch, and manually verified that the schema browser works as expected, and that the xss is fixed. But of course, RM Noble Paul has the final word and the power to revert.
        Hide
        Uwe Schindler added a comment -

        Hi, its in the RC2 created a minute ago. So you can move the changes entries: https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.0-RC2-rev1696229/solr/changes/Changes.html

        Show
        Uwe Schindler added a comment - Hi, its in the RC2 created a minute ago. So you can move the changes entries: https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.0-RC2-rev1696229/solr/changes/Changes.html
        Hide
        Noble Paul added a comment -

        it did not go into RC2 right ?. I don't see any commits related to this JIRA

        Show
        Noble Paul added a comment - it did not go into RC2 right ?. I don't see any commits related to this JIRA
        Hide
        Upayavira added a comment -

        Noble Paul see above "Commit 1696213 from Upayavira in branch 'dev/branches/lucene_solr_5_3'". I should have waited until 5.3 was complete, before committing into the _5_3 branch. However, it did sneak in. It was the smallest of tweaks though, and pretty innocuous.

        The only thing is, it isn't in the 5.3 CHANGES.txt section. I'll fix that, but it won't be in it for this release. IMO, this is no big deal and we should proceed with the vote as it is currently running.

        Show
        Upayavira added a comment - Noble Paul see above "Commit 1696213 from Upayavira in branch 'dev/branches/lucene_solr_5_3'". I should have waited until 5.3 was complete, before committing into the _5_3 branch. However, it did sneak in. It was the smallest of tweaks though, and pretty innocuous. The only thing is, it isn't in the 5.3 CHANGES.txt section. I'll fix that, but it won't be in it for this release. IMO, this is no big deal and we should proceed with the vote as it is currently running.
        Hide
        Jan Høydahl added a comment -

        SOLR-7920 is correctly listed under 5.3 in branch lucene_solr_5_3 but under 5.4 in branch_5x and trunk

        Show
        Jan Høydahl added a comment - SOLR-7920 is correctly listed under 5.3 in branch lucene_solr_5_3 but under 5.4 in branch_5x and trunk
        Hide
        Uwe Schindler added a comment -

        I see it listed in CHANGES.txt, just search for "7920" in the changes.txt: https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.0-RC2-rev1696229/solr/changes/Changes.html

        Show
        Uwe Schindler added a comment - I see it listed in CHANGES.txt, just search for "7920" in the changes.txt: https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.0-RC2-rev1696229/solr/changes/Changes.html
        Hide
        Uwe Schindler added a comment -

        It went in!

        Show
        Uwe Schindler added a comment - It went in!
        Hide
        Uwe Schindler added a comment -

        SOLR-7920 is correctly listed under 5.3 in branch lucene_solr_5_3 but under 5.4 in branch_5x and trunk

        That was discussed before. The changes entries need to be moved NOW. Maybe this causes the confusing stuff. In any case, the release manager should check the CHANGES.txt after the relaese and remove duplicates and sync them between release, branch_5x and trunk branches. I did this on every release that I managed.

        Show
        Uwe Schindler added a comment - SOLR-7920 is correctly listed under 5.3 in branch lucene_solr_5_3 but under 5.4 in branch_5x and trunk That was discussed before. The changes entries need to be moved NOW. Maybe this causes the confusing stuff. In any case, the release manager should check the CHANGES.txt after the relaese and remove duplicates and sync them between release, branch_5x and trunk branches. I did this on every release that I managed.
        Hide
        Shalin Shekhar Mangar added a comment -

        Bulk close for 5.3.0 release

        Show
        Shalin Shekhar Mangar added a comment - Bulk close for 5.3.0 release

          People

          • Assignee:
            Upayavira
            Reporter:
            davidchiu
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development