Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOLR-12417: enforce valid function name for v.json

This commit is contained in:
yonik 2018-05-30 10:15:09 -04:00
parent d27a2e8996
commit 107fd24ec7
3 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
solr/CHANGES.txt
View File

@ -276,6 +276,8 @@ Bug Fixes
* SOLR-12314: Use http timeout's defined in solr.xml for creating ConcurrentUpdateSolrClient during * SOLR-12314: Use http timeout's defined in solr.xml for creating ConcurrentUpdateSolrClient during
indexing requests between leader and replica ( Mark Miller, Varun Thacker) indexing requests between leader and replica ( Mark Miller, Varun Thacker)
* SOLR-12417: velocity response writer should enforce valid function name for v.json parameter (yonik)
Optimizations Optimizations
---------------------- ----------------------

6
solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java
View File

@ -35,6 +35,7 @@ import org.apache.commons.lang.StringUtils;
import org.apache.solr.client.solrj.SolrResponse; import org.apache.solr.client.solrj.SolrResponse;
import org.apache.solr.client.solrj.response.QueryResponse; import org.apache.solr.client.solrj.response.QueryResponse;
import org.apache.solr.client.solrj.response.SolrResponseBase; import org.apache.solr.client.solrj.response.SolrResponseBase;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.params.CommonParams; import org.apache.solr.common.params.CommonParams;
import org.apache.solr.common.util.NamedList; import org.apache.solr.common.util.NamedList;
import org.apache.solr.core.SolrCore; import org.apache.solr.core.SolrCore;
@ -184,6 +185,11 @@ public class VelocityResponseWriter implements QueryResponseWriter, SolrCoreAwar
} }
if (jsonWrapper != null) { if (jsonWrapper != null) {
for (int i=0; i<jsonWrapper.length(); i++) {
if (!Character.isJavaIdentifierPart(jsonWrapper.charAt(i))) {
throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "Invalid function name for " + JSON + ": '" + jsonWrapper + "'");
}
}
writer.write(jsonWrapper + "("); writer.write(jsonWrapper + "(");
writer.write(getJSONWrap(stringWriter.toString())); writer.write(getJSONWrap(stringWriter.toString()));
writer.write(')'); writer.write(')');

6
solr/contrib/velocity/src/test/org/apache/solr/velocity/VelocityResponseWriterTest.java
View File

@ -17,6 +17,7 @@
package org.apache.solr.velocity; package org.apache.solr.velocity;
import org.apache.solr.SolrTestCaseJ4; import org.apache.solr.SolrTestCaseJ4;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.util.NamedList; import org.apache.solr.common.util.NamedList;
import org.apache.solr.response.QueryResponseWriter; import org.apache.solr.response.QueryResponseWriter;
import org.apache.solr.response.SolrParamResourceLoader; import org.apache.solr.response.SolrParamResourceLoader;
@ -187,6 +188,11 @@ public class VelocityResponseWriterTest extends SolrTestCaseJ4 {
VelocityResponseWriter.TEMPLATE, "numFound", VelocityResponseWriter.TEMPLATE, "numFound",
VelocityResponseWriter.JSON,"foo", VelocityResponseWriter.JSON,"foo",
VelocityResponseWriter.LAYOUT,"layout"))); VelocityResponseWriter.LAYOUT,"layout")));
assertQEx("Bad function name should throw exception", req("q", "*:*", "wt", "velocity",
VelocityResponseWriter.TEMPLATE, "numFound",
VelocityResponseWriter.JSON,"<foo>"), SolrException.ErrorCode.BAD_REQUEST
);
} }
@Test @Test