Ryan: this should probably be called out in the CHANGES.txt as a change in behavior.
: Date: Tue, 01 May 2007 09:02:08 -0000 : From: [EMAIL PROTECTED] : Reply-To: solr-dev@lucene.apache.org : To: [EMAIL PROTECTED] : Subject: svn commit: r533978 - : /lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilt : er.java : : Author: ryan : Date: Tue May 1 02:02:08 2007 : New Revision: 533978 : : URL: http://svn.apache.org/viewvc?view=rev&rev=533978 : Log: : minor security fix. This makes sure you can't call paths that start with "/" from /select : : This way, if you register a handler with "/path" and use path based authentication, you can not sneak into it using: : : http://localhost:8983/solr/select/?qt=/update&stream.body=... : : Modified: : lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java : : Modified: lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java : URL: http://svn.apache.org/viewvc/lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java?view=diff&rev=533978&r1=533977&r2=533978 : ============================================================================== : --- lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java (original) : +++ lucene/solr/trunk/src/webapp/src/org/apache/solr/servlet/SolrDispatchFilter.java Tue May 1 02:02:08 2007 : @@ -139,6 +139,9 @@ : if( "/select".equals( path ) || "/select/".equals( path ) ) { : solrReq = parsers.parse( path, req ); : String qt = solrReq.getParams().get( SolrParams.QT ); : + if( qt != null && qt.startsWith( "/" ) ) { : + throw new SolrException( 400, "Invalid query type. Do not use /select to access: "+qt); : + } : handler = core.getRequestHandler( qt ); : if( handler == null ) { : throw new SolrException( 400, "unknown handler: "+qt); : : -Hoss
