[
https://issues.apache.org/jira/browse/SOLR-16777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782707#comment-17782707
]
Ishan Chattopadhyaya commented on SOLR-16777:
---------------------------------------------
[~houston], can you please review my changes to
https://github.com/apache/lucene-solr/tree/jira/solr-16777-8x-backport branch?
Patch file is here:
https://github.com/apache/lucene-solr/commit/f9fdfc3863d436829e925acd2157e356205af929.diff
I'm unable to raise a PR for it, GitHub shows me the following error: Pull
request creation failed. Validation failed: must be a collaborator
I wasn't able to port all the refactoring that the config sets codepaths has
received in 9x, so doing a targeted fix here.
> Schema Designer blindly "trusts" potentially malicious configset
> ----------------------------------------------------------------
>
> Key: SOLR-16777
> URL: https://issues.apache.org/jira/browse/SOLR-16777
> Project: Solr
> Issue Type: Bug
> Affects Versions: 9.0, 8.10, 8.11.2, 9.1, 9.2, 9.1.1
> Reporter: Ishan Chattopadhyaya
> Assignee: Ishan Chattopadhyaya
> Priority: Blocker
> Fix For: 9.3
>
> Attachments: SOLR-16777-1.patch, SOLR-16777-2.patch,
> SOLR-16777.patch, Screenshot_20230503_165913.jpg,
> Screenshot_20230503_181534.jpg
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When configset API is used to upload configsets by unauthenticated users, a
> "trusted: false" flag is set on the configset. Such configsets cannot use the
> <lib> directive to load classes while creating/loading collections. Details
> here: https://solr.apache.org/guide/8_10/configsets-api.html#configsets-upload
> Unfortunately, this safety mechanism was bypassed in the schema designer when
> a isConfigsetTrusted was hardcoded to true.
> [https://github.com/apache/solr/blob/branch_9_1/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java#L697]
>
> As per Skay's report
> [https://twitter.com/Skay_00/status/1646870062601756672|https://twitter.com/Skay_00/status/1646870062601756672),]
> remote code execution is possible in unsecured Solr clusters where
> authentication hasn't been enabled. This ticket is to mitigate one aspect of
> that, i.e. the schema designer vulnerability. While our recommendation to all
> users remains the same, i.e. to secure Solr installations with authentication
> and authorization, I thank Skay for his detailed report.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
