[ https://issues.apache.org/jira/browse/SOLR-2631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Uwe Schindler updated SOLR-2631: -------------------------------- Attachment: SOLR-2631.patch This patch fixes the bug. Hoss said, we could also simply check the qt param but I decided to do the instanceof check: If the PingRequestHandler is registered multiple times in the solrconfig.xml (e.g. by different URI paths or different names), the infinite loop could still occur. The PingRequestHandler should generally disallow calling itsself. > PingRequestHandler can infinite loop if called with a qt that points to > itsself > ------------------------------------------------------------------------------- > > Key: SOLR-2631 > URL: https://issues.apache.org/jira/browse/SOLR-2631 > Project: Solr > Issue Type: Bug > Components: search, web gui > Affects Versions: 1.4, 3.1, 3.2, 3.3 > Reporter: Uwe Schindler > Assignee: Uwe Schindler > Fix For: 3.4, 4.0 > > Attachments: SOLR-2631.patch > > > We got a security report to priv...@lucene.apache.org, that Solr can infinite > loop, use 100% CPU and stack overflow, if you execute the following HTTP > request: > - http://localhost:8983/solr/select?qt=/admin/ping > - http://localhost:8983/admin/ping?qt=/admin/ping > The qt paramter instructs PingRequestHandler to call the given request > handler. This leads to an infinite loop. This is not an security issue, but > for an unprotected Solr server with unprotected /solr/select path this makes > it stop working. > The fix is to prevent infinite loop by disallowing calling itsself. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org