[jira] [Updated] (SOLR-8308) XSS vulnerability
[ https://issues.apache.org/jira/browse/SOLR-8308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-8308: --- Attachment: SOLR-8308.patch Here's an updated patch that is more lenient: {code}^[\._A-Za-z0-9]*${code} > XSS vulnerability > - > > Key: SOLR-8308 > URL: https://issues.apache.org/jira/browse/SOLR-8308 > Project: Solr > Issue Type: Bug >Reporter: Adam Johnson > Attachments: SOLR-8308.patch, SOLR-8308.patch > > > You can rename a core using the following modified URL > https://SOLR:PORT/solr/admin/cores?wt=json=false=RENAME=test_app_shared2_replica2=%3Csvg+onload%3Dalert(1)%3E&_=1445468005152. > The core becomes inaccessible / unusable. There should be more form > validation to the core name assignment -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-8308) XSS vulnerability
[ https://issues.apache.org/jira/browse/SOLR-8308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-8308: --- Attachment: SOLR-8308.patch strawman patch. running tests now, and see some failures so it's already too strict: "Invalid core name: .system_shard1_replica1". what's the right pattern to allow for core names? > XSS vulnerability > - > > Key: SOLR-8308 > URL: https://issues.apache.org/jira/browse/SOLR-8308 > Project: Solr > Issue Type: Bug >Reporter: Adam Johnson > Attachments: SOLR-8308.patch > > > You can rename a core using the following modified URL > https://SOLR:PORT/solr/admin/cores?wt=json=false=RENAME=test_app_shared2_replica2=%3Csvg+onload%3Dalert(1)%3E&_=1445468005152. > The core becomes inaccessible / unusable. There should be more form > validation to the core name assignment -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org