LUCENE-10101: Use getField() instead of getDeclaredField() to minimize security impact by analysis SPI discovery (#298)

2021-09-14 10:31:46 +02:00 · 2021-09-14 10:31:46 +02:00 · 3802bdc686
parent 19537578dd
commit 3802bdc686
2 changed files with 6 additions and 3 deletions
--- a/lucene/CHANGES.txt
+++ b/lucene/CHANGES.txt
@ -310,6 +310,9 @@ Bug fixes

 * LUCENE-10047: Fix a value de-duping bug in LongValueFacetCounts and RangeFacetCounts
  (Greg Miller)
+  
+* LUCENE-10101, LUCENE-9281: Use getField() instead of getDeclaredField() to
+  minimize security impact by analysis SPI discovery. (Uwe Schindler)

 Changes in Backwards Compatibility Policy

--- a/lucene/core/src/java/org/apache/lucene/analysis/AnalysisSPILoader.java
+++ b/lucene/core/src/java/org/apache/lucene/analysis/AnalysisSPILoader.java
@ -174,11 +174,11 @@ public final class AnalysisSPILoader<S extends AbstractAnalysisFactory> {
   */
  public static String lookupSPIName(Class<? extends AbstractAnalysisFactory> service)
      throws NoSuchFieldException, IllegalAccessException, IllegalStateException {
-    final Field field = service.getDeclaredField("NAME");
+    final Field field = service.getField("NAME");
    int modifier = field.getModifiers();
-    if (Modifier.isPublic(modifier)
-        && Modifier.isStatic(modifier)
+    if (Modifier.isStatic(modifier)
        && Modifier.isFinal(modifier)
+        && Objects.equals(field.getDeclaringClass(), service)
        && Objects.equals(field.getType(), String.class)) {
      return ((String) field.get(null));
    }