This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release22.01 in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/release22.01 by this push: new d3a7775e1 Fixed: Execution of queries without authentication (OFBIZ-12857) d3a7775e1 is described below commit d3a7775e11dd180e4478cf11cf8668785ce29871 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Fri Sep 22 18:02:48 2023 +0200 Fixed: Execution of queries without authentication (OFBIZ-12857) The problem lies with the Solr Plugin for OFBiz. It allows the execution of queries without authentication. This fixes it and, because it's more general, also fixes the CVE-2022-47501 ("Arbitrary file reading vulnerability in Solr") that has been handled by OFBIZ-12792. --- .../ofbiz/solr/webapp/OFBizSolrContextFilter.java | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java index dfca386ce..8cea4e24b 100644 --- a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java +++ b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java @@ -23,6 +23,7 @@ import java.io.OutputStream; import java.nio.file.Path; import java.nio.file.Paths; import java.util.HashMap; +import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Properties; @@ -98,6 +99,13 @@ public class OFBizSolrContextFilter extends SolrDispatchFilter { config.getServletContext().setAttribute(SOLRHOME_ATTRIBUTE, ofbizHome + props.getProperty("solr/home")); super.init(config); } + + private boolean userIsUnauthorized(HttpServletRequest httpRequest) { + HttpSession session = httpRequest.getSession(); + GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); + return UtilValidate.isEmpty(userLogin) || !LoginWorker.hasBasePermission(userLogin, httpRequest); + } + /** Do filter */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { @@ -107,12 +115,15 @@ public class OFBizSolrContextFilter extends SolrDispatchFilter { String servletPath = httpRequest.getServletPath(); - if (servletPath.equals("/solrdefault/debug/dump")) { + List<String> solrCoreNames = getCores().getAllCoreNames(); + boolean userTriesToAccessAnySolrCore = solrCoreNames.stream().anyMatch( + coreName -> servletPath.matches(String.format("/%s/.*", coreName))); + + // check if the request is from an authorized user + if (userTriesToAccessAnySolrCore && userIsUnauthorized(httpRequest)) { sendJsonHeaderMessage(httpRequest, httpResponse, null, "SolrErrorUnauthorisedRequestForSecurityReason", null, locale); return; } - - // check if the request is from an authorized user if (UtilValidate.isNotEmpty(servletPath) && (servletPath.startsWith("/admin/") || servletPath.endsWith("/update") || servletPath.endsWith("/update/json") || servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract") || servletPath.endsWith("/replication") || servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {