Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

This commit is contained in:
Uwe Schindler 2018-05-06 14:21:34 +02:00
parent 89fc02a3b0
commit 1b76011421
3 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
solr/CHANGES.txt
View File

@ -212,6 +212,9 @@ Bug Fixes
* SOLR-12293: Updates need to use their own connection pool to maintain connection reuse and prevent spurious
recoveries. (Mark Miller)
* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
(Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
Optimizations
----------------------

14
solr/core/src/java/org/apache/solr/util/SystemIdResolver.java
View File

@ -16,9 +16,6 @@
*/
package org.apache.solr.util;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.lucene.analysis.util.ResourceLoader;
import org.xml.sax.InputSource;
@ -26,7 +23,6 @@ import org.xml.sax.EntityResolver;
import org.xml.sax.ext.EntityResolver2;
import java.io.File;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.net.URI;
import java.net.URISyntaxException;
import javax.xml.transform.Source;
@ -55,7 +51,6 @@ import javax.xml.stream.XMLStreamException;
* </pre>
*/
public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@ -126,8 +121,9 @@ public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
@Override
public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
if (systemId == null)
if (systemId == null) {
return null;
}
try {
final URI uri = resolveRelativeURI(baseURI, systemId);
@ -147,12 +143,10 @@ public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
throw new IOException(re.getMessage(), re);
}
} else {
// resolve all other URIs using the standard resolver
return null;
throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
}
} catch (URISyntaxException use) {
log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
return null;
throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
}
}

19
solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java
View File

@ -17,6 +17,7 @@
package org.apache.solr.util;
import java.io.File;
import java.io.IOException;
import java.nio.file.Path;
import org.apache.commons.io.IOUtils;
@ -76,8 +77,22 @@ public class TestSystemIdResolver extends LuceneTestCase {
assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
// test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
// if somebody uses an absolute uri (e.g., file://) we should fail resolving:
IOException ioe = expectThrows(IOException.class, () -> {
resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
});
assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
ioe = expectThrows(IOException.class, () -> {
resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
});
assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
// check that we can't escape with absolute file paths:
ioe = expectThrows(IOException.class, () -> {
resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
});
assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
}
}