mirror of https://github.com/apache/lucene.git
SOLR-3161 An incoming isShard=true should be limited to a SearchHandler. Protects against shards.qt=/update attack
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1305218 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
9491346128
commit
2e666feda9
|
@ -28,6 +28,7 @@ import org.apache.lucene.store.LockObtainFailedException;
|
||||||
import org.apache.solr.common.SolrException;
|
import org.apache.solr.common.SolrException;
|
||||||
import org.apache.solr.common.params.CommonParams;
|
import org.apache.solr.common.params.CommonParams;
|
||||||
import org.apache.solr.common.params.CommonParams.EchoParamStyle;
|
import org.apache.solr.common.params.CommonParams.EchoParamStyle;
|
||||||
|
import org.apache.solr.common.params.ShardParams;
|
||||||
import org.apache.solr.common.params.SolrParams;
|
import org.apache.solr.common.params.SolrParams;
|
||||||
import org.apache.solr.common.util.NamedList;
|
import org.apache.solr.common.util.NamedList;
|
||||||
import org.apache.solr.common.util.SimpleOrderedMap;
|
import org.apache.solr.common.util.SimpleOrderedMap;
|
||||||
|
@ -1542,6 +1543,9 @@ public final class SolrCore implements SolrInfoMBean {
|
||||||
toLog.add("path", req.getContext().get("path"));
|
toLog.add("path", req.getContext().get("path"));
|
||||||
toLog.add("params", "{" + req.getParamString() + "}");
|
toLog.add("params", "{" + req.getParamString() + "}");
|
||||||
|
|
||||||
|
if (req.getParams().getBool(ShardParams.IS_SHARD,false) && !(handler instanceof SearchHandler))
|
||||||
|
throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,"isShard is only acceptable with search handlers");
|
||||||
|
|
||||||
handler.handleRequest(req,rsp);
|
handler.handleRequest(req,rsp);
|
||||||
setResponseHeaderValues(handler,req,rsp);
|
setResponseHeaderValues(handler,req,rsp);
|
||||||
|
|
||||||
|
@ -1587,7 +1591,7 @@ public final class SolrCore implements SolrInfoMBean {
|
||||||
if( params.getBool(CommonParams.HEADER_ECHO_HANDLER, false) ) {
|
if( params.getBool(CommonParams.HEADER_ECHO_HANDLER, false) ) {
|
||||||
responseHeader.add("handler", handler.getName() );
|
responseHeader.add("handler", handler.getName() );
|
||||||
}
|
}
|
||||||
|
|
||||||
// Values for echoParams... false/true/all or false/explicit/all ???
|
// Values for echoParams... false/true/all or false/explicit/all ???
|
||||||
String ep = params.get( CommonParams.HEADER_ECHO_PARAMS, null );
|
String ep = params.get( CommonParams.HEADER_ECHO_PARAMS, null );
|
||||||
if( ep != null ) {
|
if( ep != null ) {
|
||||||
|
|
|
@ -28,6 +28,7 @@ import org.apache.solr.client.solrj.SolrServerException;
|
||||||
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
|
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
|
||||||
import org.apache.solr.client.solrj.response.QueryResponse;
|
import org.apache.solr.client.solrj.response.QueryResponse;
|
||||||
import org.apache.solr.cloud.ChaosMonkey;
|
import org.apache.solr.cloud.ChaosMonkey;
|
||||||
|
import org.apache.solr.common.SolrException;
|
||||||
import org.apache.solr.common.params.CommonParams;
|
import org.apache.solr.common.params.CommonParams;
|
||||||
import org.apache.solr.common.params.ModifiableSolrParams;
|
import org.apache.solr.common.params.ModifiableSolrParams;
|
||||||
import org.apache.solr.common.params.ShardParams;
|
import org.apache.solr.common.params.ShardParams;
|
||||||
|
@ -278,6 +279,15 @@ public class TestDistributedSearch extends BaseDistributedSearchTestCase {
|
||||||
query("q","*:*", "rows",100);
|
query("q","*:*", "rows",100);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//SOLR 3161 ensure shards.qt=/update fails (anything but search handler really)
|
||||||
|
// Also see TestRemoteStreaming#testQtUpdateFails()
|
||||||
|
try {
|
||||||
|
query("q","*:*","shards.qt","/update","stream.body","<delete><query>*:*</query></delete>");
|
||||||
|
fail();
|
||||||
|
} catch (SolrException e) {
|
||||||
|
//expected
|
||||||
|
}
|
||||||
|
|
||||||
// test debugging
|
// test debugging
|
||||||
handle.put("explain", UNORDERED);
|
handle.put("explain", UNORDERED);
|
||||||
handle.put("debug", UNORDERED);
|
handle.put("debug", UNORDERED);
|
||||||
|
@ -332,7 +342,7 @@ public class TestDistributedSearch extends BaseDistributedSearchTestCase {
|
||||||
// TODO: This test currently fails because debug info is obtained only
|
// TODO: This test currently fails because debug info is obtained only
|
||||||
// on shards with matches.
|
// on shards with matches.
|
||||||
// query("q","matchesnothing","fl","*,score", "debugQuery", "true");
|
// query("q","matchesnothing","fl","*,score", "debugQuery", "true");
|
||||||
|
|
||||||
// Thread.sleep(10000000000L);
|
// Thread.sleep(10000000000L);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue