From 2e666feda908068b3551b0b2a9b4c0c86f407c77 Mon Sep 17 00:00:00 2001 From: David Wayne Smiley Date: Mon, 26 Mar 2012 04:44:39 +0000 Subject: [PATCH] SOLR-3161 An incoming isShard=true should be limited to a SearchHandler. Protects against shards.qt=/update attack git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1305218 13f79535-47bb-0310-9956-ffa450edef68 --- .../core/src/java/org/apache/solr/core/SolrCore.java | 6 +++++- .../test/org/apache/solr/TestDistributedSearch.java | 12 +++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/solr/core/src/java/org/apache/solr/core/SolrCore.java b/solr/core/src/java/org/apache/solr/core/SolrCore.java index 5a92ba7cd26..238a6f6f629 100644 --- a/solr/core/src/java/org/apache/solr/core/SolrCore.java +++ b/solr/core/src/java/org/apache/solr/core/SolrCore.java @@ -28,6 +28,7 @@ import org.apache.lucene.store.LockObtainFailedException; import org.apache.solr.common.SolrException; import org.apache.solr.common.params.CommonParams; import org.apache.solr.common.params.CommonParams.EchoParamStyle; +import org.apache.solr.common.params.ShardParams; import org.apache.solr.common.params.SolrParams; import org.apache.solr.common.util.NamedList; import org.apache.solr.common.util.SimpleOrderedMap; @@ -1542,6 +1543,9 @@ public final class SolrCore implements SolrInfoMBean { toLog.add("path", req.getContext().get("path")); toLog.add("params", "{" + req.getParamString() + "}"); + if (req.getParams().getBool(ShardParams.IS_SHARD,false) && !(handler instanceof SearchHandler)) + throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,"isShard is only acceptable with search handlers"); + handler.handleRequest(req,rsp); setResponseHeaderValues(handler,req,rsp); @@ -1587,7 +1591,7 @@ public final class SolrCore implements SolrInfoMBean { if( params.getBool(CommonParams.HEADER_ECHO_HANDLER, false) ) { responseHeader.add("handler", handler.getName() ); } - + // Values for echoParams... false/true/all or false/explicit/all ??? String ep = params.get( CommonParams.HEADER_ECHO_PARAMS, null ); if( ep != null ) { diff --git a/solr/core/src/test/org/apache/solr/TestDistributedSearch.java b/solr/core/src/test/org/apache/solr/TestDistributedSearch.java index 4a88a35e7bb..88d3ab65869 100755 --- a/solr/core/src/test/org/apache/solr/TestDistributedSearch.java +++ b/solr/core/src/test/org/apache/solr/TestDistributedSearch.java @@ -28,6 +28,7 @@ import org.apache.solr.client.solrj.SolrServerException; import org.apache.solr.client.solrj.embedded.JettySolrRunner; import org.apache.solr.client.solrj.response.QueryResponse; import org.apache.solr.cloud.ChaosMonkey; +import org.apache.solr.common.SolrException; import org.apache.solr.common.params.CommonParams; import org.apache.solr.common.params.ModifiableSolrParams; import org.apache.solr.common.params.ShardParams; @@ -278,6 +279,15 @@ public class TestDistributedSearch extends BaseDistributedSearchTestCase { query("q","*:*", "rows",100); } + //SOLR 3161 ensure shards.qt=/update fails (anything but search handler really) + // Also see TestRemoteStreaming#testQtUpdateFails() + try { + query("q","*:*","shards.qt","/update","stream.body","*:*"); + fail(); + } catch (SolrException e) { + //expected + } + // test debugging handle.put("explain", UNORDERED); handle.put("debug", UNORDERED); @@ -332,7 +342,7 @@ public class TestDistributedSearch extends BaseDistributedSearchTestCase { // TODO: This test currently fails because debug info is obtained only // on shards with matches. // query("q","matchesnothing","fl","*,score", "debugQuery", "true"); - + // Thread.sleep(10000000000L); }