[solr] branch branch_9_2 updated: SOLR-16777: Fix for Schema Designer blindly trusting potentially malicious configsets

Sat, 29 Apr 2023 07:29:33 -0700 

This is an automated email from the ASF dual-hosted git repository.

ishan pushed a commit to branch branch_9_2
in repository https://gitbox.apache.org/repos/asf/solr.git


The following commit(s) were added to refs/heads/branch_9_2 by this push:
     new 0333862ad28 SOLR-16777: Fix for Schema Designer blindly trusting 
potentially malicious configsets
0333862ad28 is described below

commit 0333862ad289d9f73c7c96e1d26ebe15e506a4aa
Author: Ishan Chattopadhyaya <[email protected]>
AuthorDate: Sat Apr 29 19:58:49 2023 +0530

    SOLR-16777: Fix for Schema Designer blindly trusting potentially malicious 
configsets
---
 solr/CHANGES.txt                                                        | 2 ++
 .../org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 5f32e44012d..40f8903f1de 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -28,6 +28,8 @@ Bug Fixes
 
 * SOLR-16741: CLUSTERSTATUS API returns wrong value for state ,leader for PRS 
collections (noble)
 
+* SOLR-16777: Fix for Schema Designer blindly trusting potentially malicious 
configsets (Ishan Chattopadhyaya, Skay)
+
 Other Changes
 ---------------------
 * SOLR-16735: Allow custom configuration of Jetty's SecureRequestCustomizer 
(Tomás Fernández Löbbe)
diff --git 
a/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java
 
b/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java
index 35fdae660f1..1a4f5f3bc86 100644
--- 
a/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java
+++ 
b/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java
@@ -693,7 +693,7 @@ class SchemaDesignerConfigSetHelper implements 
SchemaDesignerConstants {
             configSet,
             resourceLoader.getClassLoader(),
             cc.getZkController());
-    return SolrConfig.readFromResourceLoader(zkLoader, SOLR_CONFIG_XML, true, 
null);
+    return SolrConfig.readFromResourceLoader(zkLoader, SOLR_CONFIG_XML, false, 
null);
   }
 
   ManagedIndexSchema loadLatestSchema(String configSet) {

Reply via email to