[ofbiz-plugins] branch trunk updated: Fixed: Disallow unauthorized users to use Solr (OFBIZ-12792)

Mon, 10 Apr 2023 02:42:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new caf72b8ac Fixed: Disallow unauthorized users to use Solr (OFBIZ-12792)
caf72b8ac is described below

commit caf72b8ac2958383c57f6a3a84c8bd49c29537b8
Author: Jacques Le Roux <[email protected]>
AuthorDate: Mon Apr 10 11:41:02 2023 +0200

    Fixed: Disallow unauthorized users to use Solr (OFBIZ-12792)
    
    Finalises [CVE-2022-47501]
---
 solr/config/SolrUiLabels.xml                                            | 2 +-
 .../main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/solr/config/SolrUiLabels.xml b/solr/config/SolrUiLabels.xml
index 340316019..c162388f5 100644
--- a/solr/config/SolrUiLabels.xml
+++ b/solr/config/SolrUiLabels.xml
@@ -70,6 +70,6 @@ under the License.
         <value xml:lang="en">To view files of a Solr index in OFBiz, you 
should have the permission to do so.</value>
     </property>
     <property key="SolrErrorUnauthorisedRequestForSecurityReason">
-        <value xml:lang="en">The request must be from an authorized 
user</value>
+        <value xml:lang="en">This is an unauthorized request for security 
reason</value>
     </property>
 </resource>
diff --git 
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java 
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
index a1c89217a..dfca386ce 100644
--- 
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
+++ 
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
@@ -105,7 +105,6 @@ public class OFBizSolrContextFilter extends 
SolrDispatchFilter {
         HttpServletResponse httpResponse = (HttpServletResponse) response;
         Locale locale = UtilHttp.getLocale(httpRequest);
 
-        // check if the request is from an authorized user
         String servletPath = httpRequest.getServletPath();
 
         if (servletPath.equals("/solrdefault/debug/dump")) {
@@ -113,6 +112,7 @@ public class OFBizSolrContextFilter extends 
SolrDispatchFilter {
             return;
         }
 
+        // check if the request is from an authorized user
         if (UtilValidate.isNotEmpty(servletPath) && 
(servletPath.startsWith("/admin/") || servletPath.endsWith("/update")
                 || servletPath.endsWith("/update/json") || 
servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract")
                 || servletPath.endsWith("/replication") || 
servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {

Reply via email to