mirror of https://github.com/apache/lucene.git
SOLR-3161 An incoming isShard=true should be limited to a SearchHandler. Protects against shards.qt=/update attack
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1305218 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
9491346128
commit
2e666feda9
|
@ -28,6 +28,7 @@ import org.apache.lucene.store.LockObtainFailedException;
|
||||||
import org.apache.solr.common.SolrException;
|
import org.apache.solr.common.SolrException;
|
||||||
import org.apache.solr.common.params.CommonParams;
|
import org.apache.solr.common.params.CommonParams;
|
||||||
import org.apache.solr.common.params.CommonParams.EchoParamStyle;
|
import org.apache.solr.common.params.CommonParams.EchoParamStyle;
|
||||||
|
import org.apache.solr.common.params.ShardParams;
|
||||||
import org.apache.solr.common.params.SolrParams;
|
import org.apache.solr.common.params.SolrParams;
|
||||||
import org.apache.solr.common.util.NamedList;
|
import org.apache.solr.common.util.NamedList;
|
||||||
import org.apache.solr.common.util.SimpleOrderedMap;
|
import org.apache.solr.common.util.SimpleOrderedMap;
|
||||||
|
@ -1542,6 +1543,9 @@ public final class SolrCore implements SolrInfoMBean {
|
||||||
toLog.add("path", req.getContext().get("path"));
|
toLog.add("path", req.getContext().get("path"));
|
||||||
toLog.add("params", "{" + req.getParamString() + "}");
|
toLog.add("params", "{" + req.getParamString() + "}");
|
||||||
|
|
||||||
|
if (req.getParams().getBool(ShardParams.IS_SHARD,false) && !(handler instanceof SearchHandler))
|
||||||
|
throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,"isShard is only acceptable with search handlers");
|
||||||
|
|
||||||
handler.handleRequest(req,rsp);
|
handler.handleRequest(req,rsp);
|
||||||
setResponseHeaderValues(handler,req,rsp);
|
setResponseHeaderValues(handler,req,rsp);
|
||||||
|
|
||||||
|
|
|
@ -28,6 +28,7 @@ import org.apache.solr.client.solrj.SolrServerException;
|
||||||
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
|
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
|
||||||
import org.apache.solr.client.solrj.response.QueryResponse;
|
import org.apache.solr.client.solrj.response.QueryResponse;
|
||||||
import org.apache.solr.cloud.ChaosMonkey;
|
import org.apache.solr.cloud.ChaosMonkey;
|
||||||
|
import org.apache.solr.common.SolrException;
|
||||||
import org.apache.solr.common.params.CommonParams;
|
import org.apache.solr.common.params.CommonParams;
|
||||||
import org.apache.solr.common.params.ModifiableSolrParams;
|
import org.apache.solr.common.params.ModifiableSolrParams;
|
||||||
import org.apache.solr.common.params.ShardParams;
|
import org.apache.solr.common.params.ShardParams;
|
||||||
|
@ -278,6 +279,15 @@ public class TestDistributedSearch extends BaseDistributedSearchTestCase {
|
||||||
query("q","*:*", "rows",100);
|
query("q","*:*", "rows",100);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//SOLR 3161 ensure shards.qt=/update fails (anything but search handler really)
|
||||||
|
// Also see TestRemoteStreaming#testQtUpdateFails()
|
||||||
|
try {
|
||||||
|
query("q","*:*","shards.qt","/update","stream.body","<delete><query>*:*</query></delete>");
|
||||||
|
fail();
|
||||||
|
} catch (SolrException e) {
|
||||||
|
//expected
|
||||||
|
}
|
||||||
|
|
||||||
// test debugging
|
// test debugging
|
||||||
handle.put("explain", UNORDERED);
|
handle.put("explain", UNORDERED);
|
||||||
handle.put("debug", UNORDERED);
|
handle.put("debug", UNORDERED);
|
||||||
|
|
Loading…
Reference in New Issue