SOLR-7966: set X-Frame-Options to DENY for admin ui

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1698341 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yonik Seeley 2015-08-28 14:47:58 +00:00
parent 8ce033a971
commit bdf516f015
3 changed files with 26 additions and 8 deletions

View File

@ -220,6 +220,9 @@ Other Changes
* SOLR-7979: Fix two typos (in a CoreAdminHandler log message and a TestCloudPivotFacet comment).
(Mike Drob via Christine Poerschke)
* SOLR-7966: Solr Admin UI Solr now sets the HTTP header X-Frame-Options to DENY
to avoid clickjacking. (yonik)
================== 5.3.0 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release

View File

@ -42,9 +42,11 @@ public final class LoadAdminUiServlet extends BaseSolrServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws IOException {
response.addHeader("X-Frame-Options", "DENY"); // security: SOLR-7966 - avoid clickjacking for admin interface
// This attribute is set by the SolrDispatchFilter
CoreContainer cores = (CoreContainer) request.getAttribute("org.apache.solr.CoreContainer");
InputStream in = getServletContext().getResourceAsStream("/admin.html");
if(in != null && cores != null) {
try {

View File

@ -19,13 +19,19 @@ package org.apache.solr.client.solrj.embedded;
import java.io.File;
import java.net.URL;
import java.util.Locale;
import java.util.Random;
import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
import org.apache.commons.io.IOUtils;
import org.apache.lucene.util.LuceneTestCase;
import org.apache.lucene.util.TestUtil;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.solr.SolrJettyTestBase;
import org.apache.solr.SolrTestCaseJ4;
import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.util.ExternalPaths;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConnectionFactory;
@ -37,8 +43,6 @@ import org.junit.Rule;
import org.junit.rules.RuleChain;
import org.junit.rules.TestRule;
import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
/**
*
* @since solr 1.3
@ -102,5 +106,14 @@ public class JettyWebappTest extends SolrTestCaseJ4
String adminPath = "http://127.0.0.1:"+port+context+"/";
byte[] bytes = IOUtils.toByteArray( new URL(adminPath).openStream() );
assertNotNull( bytes ); // real error will be an exception
HttpClient client = HttpClientUtil.createClient(null);
HttpRequestBase m = new HttpGet(adminPath);
HttpResponse response = client.execute(m);
assertEquals(200, response.getStatusLine().getStatusCode());
Header header = response.getFirstHeader("X-Frame-Options");
assertEquals("DENY", header.getValue().toUpperCase(Locale.ROOT));
m.releaseConnection();
}
}