[jira] [Reopened] (SOLR-7966) Solr Admin pages should set X-Frame-Options to DENY

Fri, 28 Aug 2015 11:13:59 -0700 

     [ 
https://issues.apache.org/jira/browse/SOLR-7966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Steve Rowe reopened SOLR-7966:
------------------------------

My Jenkins found a {{JettyWebappTest}} failure 
[http://jenkins.sarowe.net/job/Lucene-Solr-tests-5.x-Java8/1574/] that 
reproduces for me on OS X:

{noformat}
   [junit4]   2> NOTE: reproduce with: ant test  -Dtestcase=JettyWebappTest 
-Dtests.method=testAdminUI -Dtests.seed=5567901EF3993FC2 -Dtests.slow=true 
-Dtests.linedocsfile=/home/jenkins/lucene-data/enwiki.random.lines.txt 
-Dtests.locale=ga -Dtests.timezone=Asia/Dubai -Dtests.asserts=true 
-Dtests.file.encoding=US-ASCII
   [junit4] ERROR   6.73s | JettyWebappTest.testAdminUI <<<
   [junit4]    > Throwable #1: java.lang.IllegalStateException: Scheme 'http' 
not registered.
   [junit4]    >        at 
__randomizedtesting.SeedInfo.seed([5567901EF3993FC2:6DB5734D94F2A47D]:0)
   [junit4]    >        at 
org.apache.http.conn.scheme.SchemeRegistry.getScheme(SchemeRegistry.java:74)
   [junit4]    >        at 
org.apache.http.impl.conn.ProxySelectorRoutePlanner.determineRoute(ProxySelectorRoutePlanner.java:140)
   [junit4]    >        at 
org.apache.http.impl.client.DefaultRequestDirector.determineRoute(DefaultRequestDirector.java:762)
   [junit4]    >        at 
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
   [junit4]    >        at 
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
   [junit4]    >        at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
   [junit4]    >        at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
   [junit4]    >        at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
   [junit4]    >        at 
org.apache.solr.client.solrj.embedded.JettyWebappTest.testAdminUI(JettyWebappTest.java:113)
   [junit4]    >        at java.lang.Thread.run(Thread.java:745)
   [junit4]   2> 6769 INFO  
(SUITE-JettyWebappTest-seed#[5567901EF3993FC2]-worker) [    ] 
o.a.s.SolrTestCaseJ4 ###deleteCore
   [junit4]   2> NOTE: leaving temporary files on disk at: 
/Users/sarowe/svn/lucene/dev/branches/branch_5x/solr/build/solr-solrj/test/J0/temp/solr.client.solrj.embedded.JettyWebappTest_5567901EF3993FC2-001
   [junit4]   2> NOTE: test params are: 
codec=HighCompressionCompressingStoredFields(storedFieldsFormat=CompressingStoredFieldsFormat(compressionMode=HIGH_COMPRESSION,
 chunkSize=1, maxDocsPerChunk=10, blockSize=10), 
termVectorsFormat=CompressingTermVectorsFormat(compressionMode=HIGH_COMPRESSION,
 chunkSize=1, blockSize=10)), 
sim=RandomSimilarityProvider(queryNorm=false,coord=yes): {}, locale=ga, 
timezone=Asia/Dubai
   [junit4]   2> NOTE: Mac OS X 10.10.5 x86_64/Oracle Corporation 1.8.0_20 
(64-bit)/cpus=8,threads=1,free=229789480,total=277872640
   [junit4]   2> NOTE: All tests run in this JVM: [JettyWebappTest]
   [junit4] Completed [1/1] in 8.44s, 1 test, 1 error <<< FAILURES!
{noformat}

> Solr Admin pages should set X-Frame-Options to DENY
> ---------------------------------------------------
>
>                 Key: SOLR-7966
>                 URL: https://issues.apache.org/jira/browse/SOLR-7966
>             Project: Solr
>          Issue Type: Bug
>            Reporter: Yonik Seeley
>            Priority: Trivial
>             Fix For: Trunk, 5.4
>
>         Attachments: SOLR-7966.patch, SOLR-7966.patch
>
>
> Security scan software reported that Solr's admin interface is vulnerable to 
> clickjacking, which is fixable with the X-Frame-Options HTTP header.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to