[jira] [Commented] (SOLR-4882) Restrict SolrResourceLoader to only classloader accessible files and instance dir

Mon, 02 Dec 2013 03:03:29 -0800 

    [ 
https://issues.apache.org/jira/browse/SOLR-4882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836421#comment-13836421
 ] 

ASF subversion and git services commented on SOLR-4882:
-------------------------------------------------------

Commit 1546958 from [~thetaphi] in branch 'dev/branches/lucene_solr_3_6'
[ https://svn.apache.org/r1546958 ]

SOLR-5520: Backport of SOLR-4882 (SolrResourceLoader was restricted to only 
allow access to resource files below the instance dir)

> Restrict SolrResourceLoader to only classloader accessible files and instance 
> dir
> ---------------------------------------------------------------------------------
>
>                 Key: SOLR-4882
>                 URL: https://issues.apache.org/jira/browse/SOLR-4882
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 4.3
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>             Fix For: 4.6, 5.0
>
>         Attachments: SOLR-4882.patch, SOLR-4882.patch, SOLR-4882.patch
>
>
> SolrResourceLoader currently allows to load files from any 
> absolute/CWD-relative path, which is used as a fallback if the resource 
> cannot be looked up via the class loader.
> We should limit this fallback to sub-dirs below the instanceDir passed into 
> the ctor. The CWD special case should be removed, too (the virtual CWD is 
> instance's config or root dir).
> The reason for this is security related. Some Solr components allow to pass 
> in resource paths via REST parameters (e.g. XSL stylesheets, velocity 
> templates,...) and load them via resource loader. By this it is possible to 
> limit the whole thing to
> not allow loading e.g. /etc/passwd as a stylesheet.
> In 4.4 we should add a solrconfig.xml setting to enable the old behaviour, 
> but disable it by default, if your existing installation requires the files 
> from outside the instance dir which are not available via the URLClassLoader 
> used internally. In Lucene 5.0 we should not support this anymore.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to