[ 
https://issues.apache.org/jira/browse/SOLR-14015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988408#comment-16988408
 ] 

Robert Muir commented on SOLR-14015:
------------------------------------

[~erickerickson] that is a good kind of thing to fix, just commit it, I will 
deal :). I don't think that specific test bothered this patch here simply 
because of the way the test is written. I'm guessing the SecurityException gets 
boxed in a RemoteSolrException or whatever and the tests passed anyway 
regardless of why the access was denied.

The WTFs here are for tests that really couldn't handle the SecurityException 
for some reason. They can probably be easily fixed after the fact. Its just 
more work, and you gotta start somewhere :)

> remove blanket filesystem read access from solr-tests.policy
> ------------------------------------------------------------
>
>                 Key: SOLR-14015
>                 URL: https://issues.apache.org/jira/browse/SOLR-14015
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>         Attachments: SOLR-14015.patch
>
>
> The lucene policy is strict and specifies only specific locations.
> Unfortunately currently the solr policy allows read to ALL FILES
> The tests shouldn't be able to read anywhere, e.g. my .ssh/ directory or 
> whatever.
> It is a necessary painful step to eventually eliminate directory traversal 
> attacks, etc.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to