SOLR-7966: set X-Frame-Options to DENY for admin ui

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1698341 13f79535-47bb-0310-9956-ffa450edef68

solr/CHANGES.txt

@@ -220,6 +220,9 @@ Other Changes
 * SOLR-7979: Fix two typos (in a CoreAdminHandler log message and a TestCloudPivotFacet comment).
   (Mike Drob via Christine Poerschke)
 
+* SOLR-7966: Solr Admin UI Solr now sets the HTTP header X-Frame-Options to DENY
+  to avoid clickjacking. (yonik)
+
 ==================  5.3.0 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release

solr/core/src/java/org/apache/solr/servlet/LoadAdminUiServlet.java

@@ -42,9 +42,11 @@ public final class LoadAdminUiServlet extends BaseSolrServlet {
   public void doGet(HttpServletRequest request,
                     HttpServletResponse response)
       throws IOException {
+
+    response.addHeader("X-Frame-Options", "DENY"); // security: SOLR-7966 - avoid clickjacking for admin interface
+
     // This attribute is set by the SolrDispatchFilter
     CoreContainer cores = (CoreContainer) request.getAttribute("org.apache.solr.CoreContainer");
-
     InputStream in = getServletContext().getResourceAsStream("/admin.html");
     if(in != null && cores != null) {
       try {

solr/solrj/src/test/org/apache/solr/client/solrj/embedded/JettyWebappTest.java

@@ -19,13 +19,19 @@ package org.apache.solr.client.solrj.embedded;
 
 import java.io.File;
 import java.net.URL;
+import java.util.Locale;
 import java.util.Random;
 
+import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
 import org.apache.commons.io.IOUtils;
-import org.apache.lucene.util.LuceneTestCase;
-import org.apache.lucene.util.TestUtil;
+import org.apache.http.Header;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpRequestBase;
 import org.apache.solr.SolrJettyTestBase;
 import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.client.solrj.impl.HttpClientUtil;
 import org.apache.solr.util.ExternalPaths;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -37,8 +43,6 @@ import org.junit.Rule;
 import org.junit.rules.RuleChain;
 import org.junit.rules.TestRule;
 
-import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
-
 /**
  *
  * @since solr 1.3
@@ -53,9 +57,9 @@ public class JettyWebappTest extends SolrTestCaseJ4
     RuleChain.outerRule(new SystemPropertiesRestoreRule());
 
   Server server;
-  
+
   @Override
-  public void setUp() throws Exception 
+  public void setUp() throws Exception
   {
     super.setUp();
     System.setProperty("solr.solr.home", SolrJettyTestBase.legacyExampleCollection1SolrHome());
@@ -84,7 +88,7 @@ public class JettyWebappTest extends SolrTestCaseJ4
   }
 
   @Override
-  public void tearDown() throws Exception 
+  public void tearDown() throws Exception
   {
     try {
       server.stop();
@@ -102,5 +106,14 @@ public class JettyWebappTest extends SolrTestCaseJ4
     String adminPath = "http://127.0.0.1:"+port+context+"/";
     byte[] bytes = IOUtils.toByteArray( new URL(adminPath).openStream() );
     assertNotNull( bytes ); // real error will be an exception
+
+
+    HttpClient client = HttpClientUtil.createClient(null);
+    HttpRequestBase m = new HttpGet(adminPath);
+    HttpResponse response = client.execute(m);
+    assertEquals(200, response.getStatusLine().getStatusCode());
+    Header header = response.getFirstHeader("X-Frame-Options");
+    assertEquals("DENY", header.getValue().toUpperCase(Locale.ROOT));
+    m.releaseConnection();
   }
 }