Solr
  1. Solr
  2. SOLR-8167

RuleBasedAuthorization plugin bypass with POST requests

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.3.1
    • Fix Version/s: 5.3.2, 5.4, 6.0
    • Component/s: security
    • Labels:

      Description

      We are using the RuleBasedAuthorization plugin. We are using the
      collection-admin-edit permission to secure the collections API.

      What I have found is that if I try to, say, create or delete a
      collection using a GET request I am prompted to authenticate as
      expected.

      If I try the same operation using a POST request, it lets me straight
      through and I can delete collections without authenticating.

      I emailed Noble Paul directly about this initially and he has confirmed this as a bug.

        Issue Links

          Activity

          Hide
          Noble Paul added a comment -

          security framework is loking at query params instead of solrrequest.getParams()

          Show
          Noble Paul added a comment - security framework is loking at query params instead of solrrequest.getParams()
          Hide
          ASF subversion and git services added a comment -

          Commit 1709056 from Noble Paul in branch 'dev/trunk'
          [ https://svn.apache.org/r1709056 ]

          SOLR-8167: Authorization framework does not work with POST params

          Show
          ASF subversion and git services added a comment - Commit 1709056 from Noble Paul in branch 'dev/trunk' [ https://svn.apache.org/r1709056 ] SOLR-8167 : Authorization framework does not work with POST params
          Hide
          ASF subversion and git services added a comment -

          Commit 1709058 from Noble Paul in branch 'dev/branches/branch_5x'
          [ https://svn.apache.org/r1709058 ]

          SOLR-8167: Authorization framework does not work with POST params

          Show
          ASF subversion and git services added a comment - Commit 1709058 from Noble Paul in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1709058 ] SOLR-8167 : Authorization framework does not work with POST params
          Hide
          Anshum Gupta added a comment -

          Reopening to backport to 5.3.2

          Show
          Anshum Gupta added a comment - Reopening to backport to 5.3.2
          Hide
          ASF subversion and git services added a comment -

          Commit 1722058 from Anshum Gupta in branch 'dev/branches/lucene_solr_5_3'
          [ https://svn.apache.org/r1722058 ]

          SOLR-8167: Fix to get authorization to work with POST params (backport from branch_5x for 5.3.2 release)

          Show
          ASF subversion and git services added a comment - Commit 1722058 from Anshum Gupta in branch 'dev/branches/lucene_solr_5_3' [ https://svn.apache.org/r1722058 ] SOLR-8167 : Fix to get authorization to work with POST params (backport from branch_5x for 5.3.2 release)
          Hide
          ASF subversion and git services added a comment -

          Commit 1722066 from Anshum Gupta in branch 'dev/trunk'
          [ https://svn.apache.org/r1722066 ]

          SOLR-8167: Add change log entry to 5.3.2 section on trunk

          Show
          ASF subversion and git services added a comment - Commit 1722066 from Anshum Gupta in branch 'dev/trunk' [ https://svn.apache.org/r1722066 ] SOLR-8167 : Add change log entry to 5.3.2 section on trunk
          Hide
          ASF subversion and git services added a comment -

          Commit 1722067 from Anshum Gupta in branch 'dev/branches/branch_5x'
          [ https://svn.apache.org/r1722067 ]

          SOLR-8167: Add change log entry to 5.3.2 section (merge from trunk)

          Show
          ASF subversion and git services added a comment - Commit 1722067 from Anshum Gupta in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1722067 ] SOLR-8167 : Add change log entry to 5.3.2 section (merge from trunk)
          Hide
          ASF subversion and git services added a comment -

          Commit 1724181 from Adrien Grand in branch 'dev/branches/lucene_solr_5_4'
          [ https://svn.apache.org/r1724181 ]

          SOLR-8167: Add change log entry to 5.3.2 section

          Show
          ASF subversion and git services added a comment - Commit 1724181 from Adrien Grand in branch 'dev/branches/lucene_solr_5_4' [ https://svn.apache.org/r1724181 ] SOLR-8167 : Add change log entry to 5.3.2 section
          Hide
          Varun Thacker added a comment -

          Adding BasicAuth tag

          Show
          Varun Thacker added a comment - Adding BasicAuth tag

            People

            • Assignee:
              Anshum Gupta
              Reporter:
              Philip Wigg
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development