[
https://issues.apache.org/jira/browse/SOLR-16777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17719947#comment-17719947
]
Jason Gerlowski commented on SOLR-16777:
----------------------------------------
bq. Jason, please stop being so melodramatic. I'm on travel at the moment
Apologies for the "melodrama," if that's how my comment came off. I wasn't
trying to make a bigger thing of it than it is.
I've been thinking a lot lately about how it's the unwritten rules and norms
that allow our community to work at all. How we incorporate feedback is one of
those. Those norms are just so, so important. That's all I was trying to get
across.
(And related - I think you're right - as important as it is, it's hard to
elucidate or appeal to that sort of stuff without sounding like a crazy person
catastrophizing or being melodramatic with some minuscule detail 😬. So, I get
that haha.)
Anyways, I appreciate your clarifying that you intended to get to it in time
(y). That's perfect. Have a safe trip!
> Schema Designer blindly "trusts" potentially malicious configset
> ----------------------------------------------------------------
>
> Key: SOLR-16777
> URL: https://issues.apache.org/jira/browse/SOLR-16777
> Project: Solr
> Issue Type: Bug
> Affects Versions: 9.0, 8.10, 8.11.2, 9.1, 9.2, 9.1.1
> Reporter: Ishan Chattopadhyaya
> Assignee: Ishan Chattopadhyaya
> Priority: Blocker
> Fix For: 9.2.2
>
> Attachments: SOLR-16777.patch, Screenshot_20230503_165913.jpg,
> Screenshot_20230503_181534.jpg
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When configset API is used to upload configsets by unauthenticated users, a
> "trusted: false" flag is set on the configset. Such configsets cannot use the
> <lib> directive to load classes while creating/loading collections. Details
> here: https://solr.apache.org/guide/8_10/configsets-api.html#configsets-upload
> Unfortunately, this safety mechanism was bypassed in the schema designer when
> a isConfigsetTrusted was hardcoded to true.
> [https://github.com/apache/solr/blob/branch_9_1/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java#L697]
> Â
> As per Skay's report
> [https://twitter.com/Skay_00/status/1646870062601756672|https://twitter.com/Skay_00/status/1646870062601756672),]
> remote code execution is possible in unsecured Solr clusters where
> authentication hasn't been enabled. This ticket is to mitigate one aspect of
> that, i.e. the schema designer vulnerability. While our recommendation to all
> users remains the same, i.e. to secure Solr installations with authentication
> and authorization, I thank Skay for his detailed report.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
