[ 
https://issues.apache.org/jira/browse/SOLR-14015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988472#comment-16988472
 ] 

ASF subversion and git services commented on SOLR-14015:
--------------------------------------------------------

Commit 5325c29cf9c122978333d6ff029940319cce71cc in lucene-solr's branch 
refs/heads/branch_8x from Robert Muir
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=5325c29 ]

SOLR-14015: remove blanket filesystem read access from solr-tests.policy

Restrict this to only minimal paths like lucene. It is the defense for 
directory traversal attacks.
It will also help find bad bugs where things are reading filesystem in the 
wrong locations.


> remove blanket filesystem read access from solr-tests.policy
> ------------------------------------------------------------
>
>                 Key: SOLR-14015
>                 URL: https://issues.apache.org/jira/browse/SOLR-14015
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>         Attachments: SOLR-14015.patch
>
>
> The lucene policy is strict and specifies only specific locations.
> Unfortunately currently the solr policy allows read to ALL FILES
> The tests shouldn't be able to read anywhere, e.g. my .ssh/ directory or 
> whatever.
> It is a necessary painful step to eventually eliminate directory traversal 
> attacks, etc.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to