Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOLR-3161 An incoming isShard=true should be limited to a SearchHandler. Protects against shards.qt=/update attack 

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1305218 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
David Wayne Smiley 2012-03-26 04:44:39 +00:00
parent 9491346128
commit 2e666feda9
2 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
solr/core/src/java/org/apache/solr/core/SolrCore.java
View File

@ -28,6 +28,7 @@ import org.apache.lucene.store.LockObtainFailedException;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.params.CommonParams;
import org.apache.solr.common.params.CommonParams.EchoParamStyle;
import org.apache.solr.common.params.ShardParams;
import org.apache.solr.common.params.SolrParams;
import org.apache.solr.common.util.NamedList;
import org.apache.solr.common.util.SimpleOrderedMap;
@ -1542,6 +1543,9 @@ public final class SolrCore implements SolrInfoMBean {
toLog.add("path", req.getContext().get("path"));
toLog.add("params", "{" + req.getParamString() + "}");
if (req.getParams().getBool(ShardParams.IS_SHARD,false) && !(handler instanceof SearchHandler))
throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,"isShard is only acceptable with search handlers");
handler.handleRequest(req,rsp);
setResponseHeaderValues(handler,req,rsp);

10
solr/core/src/test/org/apache/solr/TestDistributedSearch.java
View File

@ -28,6 +28,7 @@ import org.apache.solr.client.solrj.SolrServerException;
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
import org.apache.solr.client.solrj.response.QueryResponse;
import org.apache.solr.cloud.ChaosMonkey;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.params.CommonParams;
import org.apache.solr.common.params.ModifiableSolrParams;
import org.apache.solr.common.params.ShardParams;
@ -278,6 +279,15 @@ public class TestDistributedSearch extends BaseDistributedSearchTestCase {
query("q","*:*", "rows",100);
}
//SOLR 3161 ensure shards.qt=/update fails (anything but search handler really)
// Also see TestRemoteStreaming#testQtUpdateFails()
try {
query("q","*:*","shards.qt","/update","stream.body","<delete><query>*:*</query></delete>");
fail();
} catch (SolrException e) {
//expected
}
// test debugging
handle.put("explain", UNORDERED);
handle.put("debug", UNORDERED);