[
https://issues.apache.org/jira/browse/SOLR-14015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988408#comment-16988408
]
Robert Muir commented on SOLR-14015:
------------------------------------
[~erickerickson] that is a good kind of thing to fix, just commit it, I will
deal :). I don't think that specific test bothered this patch here simply
because of the way the test is written. I'm guessing the SecurityException gets
boxed in a RemoteSolrException or whatever and the tests passed anyway
regardless of why the access was denied.
The WTFs here are for tests that really couldn't handle the SecurityException
for some reason. They can probably be easily fixed after the fact. Its just
more work, and you gotta start somewhere :)
> remove blanket filesystem read access from solr-tests.policy
> ------------------------------------------------------------
>
> Key: SOLR-14015
> URL: https://issues.apache.org/jira/browse/SOLR-14015
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Robert Muir
> Priority: Major
> Attachments: SOLR-14015.patch
>
>
> The lucene policy is strict and specifies only specific locations.
> Unfortunately currently the solr policy allows read to ALL FILES
> The tests shouldn't be able to read anywhere, e.g. my .ssh/ directory or
> whatever.
> It is a necessary painful step to eventually eliminate directory traversal
> attacks, etc.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]