This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/release22.01 by this push:
     new d3a7775e1 Fixed: Execution of queries without authentication 
(OFBIZ-12857)
d3a7775e1 is described below

commit d3a7775e11dd180e4478cf11cf8668785ce29871
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Sep 22 18:02:48 2023 +0200

    Fixed: Execution of queries without authentication (OFBIZ-12857)
    
    The problem lies with the Solr Plugin for OFBiz.
    It allows the execution of queries without authentication.
    
    This fixes it and, because it's more general, also fixes the CVE-2022-47501
    ("Arbitrary file reading vulnerability in Solr") that has been handled by
    OFBIZ-12792.
---
 .../ofbiz/solr/webapp/OFBizSolrContextFilter.java       | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git 
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java 
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
index dfca386ce..8cea4e24b 100644
--- 
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
+++ 
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
@@ -23,6 +23,7 @@ import java.io.OutputStream;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Properties;
@@ -98,6 +99,13 @@ public class OFBizSolrContextFilter extends 
SolrDispatchFilter {
         config.getServletContext().setAttribute(SOLRHOME_ATTRIBUTE, ofbizHome 
+ props.getProperty("solr/home"));
         super.init(config);
     }
+
+    private boolean userIsUnauthorized(HttpServletRequest httpRequest) {
+        HttpSession session = httpRequest.getSession();
+        GenericValue userLogin = (GenericValue) 
session.getAttribute("userLogin");
+        return UtilValidate.isEmpty(userLogin) || 
!LoginWorker.hasBasePermission(userLogin, httpRequest);
+    }
+
     /** Do filter */
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain) throws IOException, ServletException {
@@ -107,12 +115,15 @@ public class OFBizSolrContextFilter extends 
SolrDispatchFilter {
 
         String servletPath = httpRequest.getServletPath();
 
-        if (servletPath.equals("/solrdefault/debug/dump")) {
+        List<String> solrCoreNames = getCores().getAllCoreNames();
+        boolean userTriesToAccessAnySolrCore = solrCoreNames.stream().anyMatch(
+                coreName -> servletPath.matches(String.format("/%s/.*", 
coreName)));
+
+        // check if the request is from an authorized user
+        if (userTriesToAccessAnySolrCore && userIsUnauthorized(httpRequest)) {
             sendJsonHeaderMessage(httpRequest, httpResponse, null, 
"SolrErrorUnauthorisedRequestForSecurityReason", null, locale);
             return;
         }
-
-        // check if the request is from an authorized user
         if (UtilValidate.isNotEmpty(servletPath) && 
(servletPath.startsWith("/admin/") || servletPath.endsWith("/update")
                 || servletPath.endsWith("/update/json") || 
servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract")
                 || servletPath.endsWith("/replication") || 
servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {

Reply via email to