1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
From: Markus Koschany <apo@debian.org>
Date: Wed, 9 Oct 2019 17:41:28 +0200
Subject: CVE-2019-0193
Bug-Upstream: https://issues.apache.org/jira/browse/SOLR-13669
Origin: https://github.com/apache/lucene-solr/commit/325824cd391c8e71f36f17d687f52344e50e9715
---
.../apache/solr/handler/dataimport/DataImportHandler.java | 10 ++++++++++
.../dataimport/AbstractDataImportHandlerTestCase.java | 13 ++++++-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
index 9e11c79..a4a39a0 100644
--- a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
+++ b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
@@ -83,6 +83,10 @@ public class DataImportHandler extends RequestHandlerBase implements
private Map<String , Object> coreScopeSession = new HashMap<String, Object>();
+ static final String ENABLE_DIH_DATA_CONFIG_PARAM = "enable.dih.dataConfigParam";
+
+ final boolean dataConfigParam_enabled = Boolean.getBoolean(ENABLE_DIH_DATA_CONFIG_PARAM);
+
@Override
@SuppressWarnings("unchecked")
public void init(NamedList args) {
@@ -153,6 +157,12 @@ public class DataImportHandler extends RequestHandlerBase implements
return;
}
+ if (dataConfigParam_enabled == false) {
+ throw new SolrException(SolrException.ErrorCode.FORBIDDEN,
+ "Use of the dataConfig param (DIH debug mode) requires the system property " +
+ ENABLE_DIH_DATA_CONFIG_PARAM + " because it's a security risk.");
+ }
+
rsp.add("initArgs", initArgs);
String message = "";
diff --git a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
index 1b49028..1cce926 100644
--- a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
+++ b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
@@ -30,7 +30,7 @@ import org.apache.solr.update.processor.UpdateRequestProcessor;
import org.apache.solr.update.processor.UpdateRequestProcessorFactory;
import org.apache.solr.common.util.NamedList;
import org.junit.After;
-import org.junit.Before;
+import org.junit.BeforeClass;
import java.io.FileOutputStream;
import java.io.IOException;
@@ -57,12 +57,11 @@ public abstract class AbstractDataImportHandlerTestCase extends
public static void initCore(String config, String schema) throws Exception {
initCore(config, schema, getFile("dih/solr").getAbsolutePath());
}
-
- @Override
- @Before
- public void setUp() throws Exception {
- super.setUp();
- }
+
+ @BeforeClass
+ public static void baseBeforeClass() {
+ System.setProperty(DataImportHandler.ENABLE_DIH_DATA_CONFIG_PARAM, "true");
+ }
@Override
@After
|
