[
https://issues.apache.org/jira/browse/SOLR-4882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13671482#comment-13671482
]
Uwe Schindler commented on SOLR-4882:
-------------------------------------
bq. How do paths work when under ZK? Is it allowed to do ../../some/path to
read ZK data outside "conf"?
No idea at all. I don't know how ZK works, I only know that ZK gets queried
with the full path, I have no idea if ../ and stuff works at all with ZK. I
think Mark can explain. I just fixed one small thing in the ZKResourceLoader,
unrelated to ZK (the slashes when querying classloader must be forward).
bq. Probably good enough. An alternative to allow-everything could be a config
option safePaths=/etc/solr/conf,/ext/other/path option to let RL see selected
safe paths outside instanceDir. Windows users don't have symlinks so this could
be nice for htem.
Windows 7 and Server 2008 have symlinks. Nevertheless, this was the question to
Mark miller. We have a hierarchy of SolrResourceLoaders (one for the startup
and one for each core). Ideally, we would atomatically allow access to the
directories of the parent ResourceLoader. Unfortunately, there is currently
only a hierrarchy in the ClassLoaders not in the SolrResourceLoader as a whole
(the core SolrResourceLoaders are not childs of the parent SolrResourceLoader,
only the inner ClassLoaders use the hierarchy.
> Restrict SolrResourceLoader to only classloader accessible files and instance
> dir
> ---------------------------------------------------------------------------------
>
> Key: SOLR-4882
> URL: https://issues.apache.org/jira/browse/SOLR-4882
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 4.3
> Reporter: Uwe Schindler
> Assignee: Uwe Schindler
> Fix For: 5.0, 4.4
>
> Attachments: SOLR-4882.patch
>
>
> SolrResourceLoader currently allows to load files from any
> absolute/CWD-relative path, which is used as a fallback if the resource
> cannot be looked up via the class loader.
> We should limit this fallback to sub-dirs below the instanceDir passed into
> the ctor. The CWD special case should be removed, too (the virtual CWD is
> instance's config or root dir).
> The reason for this is security related. Some Solr components allow to pass
> in resource paths via REST parameters (e.g. XSL stalesheets,...) and load
> them via resource loader. By this it is possible to limit the whole thing to
> not allow loading e.g. /etc/passwd as a stylesheet.
> In 4.4 we should add a solrconfig.xml setting to enable the old behaviour,
> but disable it by default, if your existing installation requires the files
> from outside the instance dir which are not available via the URLClassLoader
> used internally. In Lucene 5.0 we should not support this anymore.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
