[
https://issues.apache.org/jira/browse/SOLR-2631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Uwe Schindler updated SOLR-2631:
--------------------------------
Attachment: SOLR-2631.patch
This patch fixes the bug.
Hoss said, we could also simply check the qt param but I decided to do the
instanceof check: If the PingRequestHandler is registered multiple times in the
solrconfig.xml (e.g. by different URI paths or different names), the infinite
loop could still occur. The PingRequestHandler should generally disallow
calling itsself.
> PingRequestHandler can infinite loop if called with a qt that points to
> itsself
> -------------------------------------------------------------------------------
>
> Key: SOLR-2631
> URL: https://issues.apache.org/jira/browse/SOLR-2631
> Project: Solr
> Issue Type: Bug
> Components: search, web gui
> Affects Versions: 1.4, 3.1, 3.2, 3.3
> Reporter: Uwe Schindler
> Assignee: Uwe Schindler
> Fix For: 3.4, 4.0
>
> Attachments: SOLR-2631.patch
>
>
> We got a security report to priv...@lucene.apache.org, that Solr can infinite
> loop, use 100% CPU and stack overflow, if you execute the following HTTP
> request:
> - http://localhost:8983/solr/select?qt=/admin/ping
> - http://localhost:8983/admin/ping?qt=/admin/ping
> The qt paramter instructs PingRequestHandler to call the given request
> handler. This leads to an infinite loop. This is not an security issue, but
> for an unprotected Solr server with unprotected /solr/select path this makes
> it stop working.
> The fix is to prevent infinite loop by disallowing calling itsself.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
