mirror of https://github.com/apache/lucene.git
SOLR-7966: set X-Frame-Options to DENY for admin ui
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1698341 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
8ce033a971
commit
bdf516f015
|
@ -220,6 +220,9 @@ Other Changes
|
|||
* SOLR-7979: Fix two typos (in a CoreAdminHandler log message and a TestCloudPivotFacet comment).
|
||||
(Mike Drob via Christine Poerschke)
|
||||
|
||||
* SOLR-7966: Solr Admin UI Solr now sets the HTTP header X-Frame-Options to DENY
|
||||
to avoid clickjacking. (yonik)
|
||||
|
||||
================== 5.3.0 ==================
|
||||
|
||||
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release
|
||||
|
|
|
@ -42,9 +42,11 @@ public final class LoadAdminUiServlet extends BaseSolrServlet {
|
|||
public void doGet(HttpServletRequest request,
|
||||
HttpServletResponse response)
|
||||
throws IOException {
|
||||
|
||||
response.addHeader("X-Frame-Options", "DENY"); // security: SOLR-7966 - avoid clickjacking for admin interface
|
||||
|
||||
// This attribute is set by the SolrDispatchFilter
|
||||
CoreContainer cores = (CoreContainer) request.getAttribute("org.apache.solr.CoreContainer");
|
||||
|
||||
InputStream in = getServletContext().getResourceAsStream("/admin.html");
|
||||
if(in != null && cores != null) {
|
||||
try {
|
||||
|
|
|
@ -19,13 +19,19 @@ package org.apache.solr.client.solrj.embedded;
|
|||
|
||||
import java.io.File;
|
||||
import java.net.URL;
|
||||
import java.util.Locale;
|
||||
import java.util.Random;
|
||||
|
||||
import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
|
||||
import org.apache.commons.io.IOUtils;
|
||||
import org.apache.lucene.util.LuceneTestCase;
|
||||
import org.apache.lucene.util.TestUtil;
|
||||
import org.apache.http.Header;
|
||||
import org.apache.http.HttpResponse;
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.http.client.methods.HttpGet;
|
||||
import org.apache.http.client.methods.HttpRequestBase;
|
||||
import org.apache.solr.SolrJettyTestBase;
|
||||
import org.apache.solr.SolrTestCaseJ4;
|
||||
import org.apache.solr.client.solrj.impl.HttpClientUtil;
|
||||
import org.apache.solr.util.ExternalPaths;
|
||||
import org.eclipse.jetty.server.Connector;
|
||||
import org.eclipse.jetty.server.HttpConnectionFactory;
|
||||
|
@ -37,8 +43,6 @@ import org.junit.Rule;
|
|||
import org.junit.rules.RuleChain;
|
||||
import org.junit.rules.TestRule;
|
||||
|
||||
import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
|
||||
|
||||
/**
|
||||
*
|
||||
* @since solr 1.3
|
||||
|
@ -102,5 +106,14 @@ public class JettyWebappTest extends SolrTestCaseJ4
|
|||
String adminPath = "http://127.0.0.1:"+port+context+"/";
|
||||
byte[] bytes = IOUtils.toByteArray( new URL(adminPath).openStream() );
|
||||
assertNotNull( bytes ); // real error will be an exception
|
||||
|
||||
|
||||
HttpClient client = HttpClientUtil.createClient(null);
|
||||
HttpRequestBase m = new HttpGet(adminPath);
|
||||
HttpResponse response = client.execute(m);
|
||||
assertEquals(200, response.getStatusLine().getStatusCode());
|
||||
Header header = response.getFirstHeader("X-Frame-Options");
|
||||
assertEquals("DENY", header.getValue().toUpperCase(Locale.ROOT));
|
||||
m.releaseConnection();
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue