This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/release18.12 by this push: new 998bf510a Fixed: Execution of queries without authentication (OFBIZ-12857) 998bf510a is described below commit 998bf510a9e22fab3f8a54e6fa82cab0283ba712 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Fri Sep 22 18:02:48 2023 +0200 Fixed: Execution of queries without authentication (OFBIZ-12857) The problem lies with the Solr Plugin for OFBiz. It allows the execution of queries without authentication. This fixes it and, because it's more general, also fixes the CVE-2022-47501 ("Arbitrary file reading vulnerability in Solr") that has been handled by OFBIZ-12792. Conflicts handled by hand --- .../ofbiz/solr/webapp/OFBizSolrContextFilter.java | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java index ad1f5c074..79c6a7d9a 100644 --- a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java +++ b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java @@ -23,6 +23,7 @@ import java.io.OutputStream; import java.nio.file.Path; import java.nio.file.Paths; import java.util.HashMap; +import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Properties; @@ -71,9 +72,14 @@ public class OFBizSolrContextFilter extends SolrDispatchFilter { super.init(config); } - /** - * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) - */ + private boolean userIsUnauthorized(HttpServletRequest httpRequest) { + HttpSession session = httpRequest.getSession(); + GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); + return UtilValidate.isEmpty(userLogin) || !LoginWorker.hasBasePermission(userLogin, httpRequest); + } + + /** Do filter */ + @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; @@ -82,11 +88,15 @@ public class OFBizSolrContextFilter extends SolrDispatchFilter { // check if the request is from an authorized user String servletPath = httpRequest.getServletPath(); - if (servletPath.equals("/solrdefault/debug/dump")) { + List<String> solrCoreNames = getCores().getAllCoreNames(); + boolean userTriesToAccessAnySolrCore = solrCoreNames.stream().anyMatch( + coreName -> servletPath.matches(String.format("/%s/.*", coreName))); + + // check if the request is from an authorized user + if (userTriesToAccessAnySolrCore && userIsUnauthorized(httpRequest)) { sendJsonHeaderMessage(httpRequest, httpResponse, null, "SolrErrorUnauthorisedRequestForSecurityReason", null, locale); return; } - if (UtilValidate.isNotEmpty(servletPath) && (servletPath.startsWith("/admin/") || servletPath.endsWith("/update") || servletPath.endsWith("/update/json") || servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract") || servletPath.endsWith("/replication") || servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {