[ https://issues.apache.org/jira/browse/SOLR-16777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17741756#comment-17741756 ]
Houston Putman commented on SOLR-16777: --------------------------------------- I added a patch that should use the built-in trustedness of the configSet being used, when designing with the schema designer. If the user uploads a custom file to the configSet using the schema designer APIs, it can only remove the trust (if the user is not authenticated). It can never add trust to an untrusted configSet, because there is no way to replace all files using the schema designer APIs. (And we aren't going to give a whole configSet trust just because one file is now "trusted") > Schema Designer blindly "trusts" potentially malicious configset > ---------------------------------------------------------------- > > Key: SOLR-16777 > URL: https://issues.apache.org/jira/browse/SOLR-16777 > Project: Solr > Issue Type: Bug > Affects Versions: 9.0, 8.10, 8.11.2, 9.1, 9.2, 9.1.1 > Reporter: Ishan Chattopadhyaya > Assignee: Ishan Chattopadhyaya > Priority: Blocker > Fix For: 9.3 > > Attachments: SOLR-16777-1.patch, SOLR-16777.patch, > Screenshot_20230503_165913.jpg, Screenshot_20230503_181534.jpg > > Time Spent: 0.5h > Remaining Estimate: 0h > > When configset API is used to upload configsets by unauthenticated users, a > "trusted: false" flag is set on the configset. Such configsets cannot use the > <lib> directive to load classes while creating/loading collections. Details > here: https://solr.apache.org/guide/8_10/configsets-api.html#configsets-upload > Unfortunately, this safety mechanism was bypassed in the schema designer when > a isConfigsetTrusted was hardcoded to true. > [https://github.com/apache/solr/blob/branch_9_1/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java#L697] > > As per Skay's report > [https://twitter.com/Skay_00/status/1646870062601756672|https://twitter.com/Skay_00/status/1646870062601756672),] > remote code execution is possible in unsecured Solr clusters where > authentication hasn't been enabled. This ticket is to mitigate one aspect of > that, i.e. the schema designer vulnerability. While our recommendation to all > users remains the same, i.e. to secure Solr installations with authentication > and authorization, I thank Skay for his detailed report. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org