This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/trunk by this push:
new 40434deb0 Fixed: Execution of queries without authentication
(OFBIZ-12857)
40434deb0 is described below
commit 40434deb0e3e8dce16707bc43e2f33cbd8d3fc6a
Author: Jacques Le Roux <[email protected]>
AuthorDate: Fri Sep 22 18:02:48 2023 +0200
Fixed: Execution of queries without authentication (OFBIZ-12857)
The problem lies with the Solr Plugin for OFBiz.
It allows the execution of queries without authentication.
This fixes it and, because it's more general, also fixes the CVE-2022-47501
("Arbitrary file reading vulnerability in Solr") that has been handled by
OFBIZ-12792.
---
.../ofbiz/solr/webapp/OFBizSolrContextFilter.java | 25 ++++++++++++++++------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
index dfca386ce..d0af39ab8 100644
---
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
+++
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
@@ -23,6 +23,7 @@ import java.io.OutputStream;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
+import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
@@ -98,6 +99,13 @@ public class OFBizSolrContextFilter extends
SolrDispatchFilter {
config.getServletContext().setAttribute(SOLRHOME_ATTRIBUTE, ofbizHome
+ props.getProperty("solr/home"));
super.init(config);
}
+
+ private boolean userIsUnauthorized(HttpServletRequest httpRequest) {
+ HttpSession session = httpRequest.getSession();
+ GenericValue userLogin = (GenericValue)
session.getAttribute("userLogin");
+ return UtilValidate.isEmpty(userLogin) ||
!LoginWorker.hasBasePermission(userLogin, httpRequest);
+ }
+
/** Do filter */
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@@ -107,18 +115,21 @@ public class OFBizSolrContextFilter extends
SolrDispatchFilter {
String servletPath = httpRequest.getServletPath();
- if (servletPath.equals("/solrdefault/debug/dump")) {
+ List<String> solrCoreNames = getCores().getAllCoreNames();
+ boolean userTriesToAccessAnySolrCore = solrCoreNames.stream().anyMatch(
+ coreName -> servletPath.matches(String.format("/%s/.*",
coreName)));
+
+ // check if the request is from an authorized user
+ if (userTriesToAccessAnySolrCore && userIsUnauthorized(httpRequest)) {
sendJsonHeaderMessage(httpRequest, httpResponse, null,
"SolrErrorUnauthorisedRequestForSecurityReason", null, locale);
return;
}
-
- // check if the request is from an authorized user
if (UtilValidate.isNotEmpty(servletPath) &&
(servletPath.startsWith("/admin/") || servletPath.endsWith("/update")
|| servletPath.endsWith("/update/json") ||
servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract")
|| servletPath.endsWith("/replication") ||
servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {
HttpSession session = httpRequest.getSession();
GenericValue userLogin = (GenericValue)
session.getAttribute("userLogin");
- if (servletPath.startsWith("/admin/") &&
(UtilValidate.isEmpty(userLogin) || !LoginWorker.hasBasePermission(userLogin,
httpRequest))) {
+ if (servletPath.startsWith("/admin/") &&
!userIsUnauthorized(httpRequest)) {
response.setContentType("application/json");
MapToJSON mapToJson = new MapToJSON();
JSON json;
@@ -148,20 +159,20 @@ public class OFBizSolrContextFilter extends
SolrDispatchFilter {
|| servletPath.endsWith("/update/extract")) {
// NOTE: the update requests are defined in an index's
solrconfig.xml
// get the Solr index name from the request
- if (UtilValidate.isEmpty(userLogin) ||
!LoginWorker.hasBasePermission(userLogin, httpRequest)) {
+ if (UtilValidate.isEmpty(userLogin) ||
!userIsUnauthorized(httpRequest)) {
sendJsonHeaderMessage(httpRequest, httpResponse,
userLogin, "SolrErrorUpdateLoginFirst", "SolrErrorNoUpdatePermission", locale);
return;
}
} else if (servletPath.endsWith("/replication")) {
// get the Solr index name from the request
- if (UtilValidate.isEmpty(userLogin) ||
!LoginWorker.hasBasePermission(userLogin, httpRequest)) {
+ if (UtilValidate.isEmpty(userLogin) ||
!userIsUnauthorized(httpRequest)) {
sendJsonHeaderMessage(httpRequest, httpResponse,
userLogin, "SolrErrorReplicateLoginFirst", "SolrErrorNoReplicatePermission",
locale);
return;
}
} else if (servletPath.endsWith("/file") ||
servletPath.endsWith("/file/")) {
// get the Solr index name from the request
- if (UtilValidate.isEmpty(userLogin) ||
!LoginWorker.hasBasePermission(userLogin, httpRequest)) {
+ if (UtilValidate.isEmpty(userLogin) ||
!userIsUnauthorized(httpRequest)) {
sendJsonHeaderMessage(httpRequest, httpResponse,
userLogin, "SolrErrorViewFileLoginFirst", "SolrErrorNoViewFilePermission",
locale);
return;
