[
https://issues.apache.org/jira/browse/SOLR-14015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988451#comment-16988451
]
ASF subversion and git services commented on SOLR-14015:
--------------------------------------------------------
Commit c4126ef858b9bac167f51b3c08d51dc28404ced9 in lucene-solr's branch
refs/heads/master from Robert Muir
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=c4126ef ]
SOLR-14015: remove blanket filesystem read access from solr-tests.policy
Restrict this to only minimal paths like lucene. It is the defense for
directory traversal attacks.
It will also help find bad bugs where things are reading filesystem in the
wrong locations.
> remove blanket filesystem read access from solr-tests.policy
> ------------------------------------------------------------
>
> Key: SOLR-14015
> URL: https://issues.apache.org/jira/browse/SOLR-14015
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Robert Muir
> Priority: Major
> Attachments: SOLR-14015.patch
>
>
> The lucene policy is strict and specifies only specific locations.
> Unfortunately currently the solr policy allows read to ALL FILES
> The tests shouldn't be able to read anywhere, e.g. my .ssh/ directory or
> whatever.
> It is a necessary painful step to eventually eliminate directory traversal
> attacks, etc.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
