[SOLR-14071] Untrusted configsets shouldn't be allowed to use <lib> directive - ASF JIRA

Agile Board

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 8.4
Component/s: None
Labels:
None

Description

Allowing untrusted configsets, i.e. those have been uploaded using the configset upload API without authx enabled, to use the <lib> directive can open up possibilities for malicious users to include insecure contribs libraries.

Whoever wants to use their own libraries can add them to the classpath of Solr (i.e. place them wherever solr-core-*jar resides). For them, the <lib> directive won't be necessary anyway.

Update: another workaround (that is NOT RECOMMENDED) for this problem is to set the configset's "trusted" flag to true using direct ZK edit:

bin/zkCli.sh -server zk1:2181 set /configs/myConfigSet '{"trusted": "true"}'

^ This requires Zookeeper's CLI.
The same can be done via Java as well (here, we're unsetting the znode so that it is trusted):

      try (SolrZkClient zkClient = new SolrZkClient(zookeeper.getHost() + ":" + zookeeper.getPort(), 100)) {
        zkClient.setData(ZkConfigManager.CONFIGS_ZKNODE + "/" + configset, (byte[]) null, true);
      }