Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fresh solr 2.9.2 oss #766

Open
wants to merge 58 commits into
base: develop-2.9
Choose a base branch
from
Open

Fresh solr 2.9.2 oss #766

wants to merge 58 commits into from

Conversation

jagguli
Copy link

@jagguli jagguli commented Apr 22, 2020
edited

Pull request with yokozuna updated to solr7

Please also see previous PR for discussion #765

llelf added 30 commits June 21, 2018 20:21
@llelf
grab-solr: stop all unsafety
7d64c5d
@llelf
solr build script changes
982efef
@llelf
restructure tools: common.sh, copy-jars.sh
a42e861
@llelf
tools: use sha512
ba2aad5
@llelf
Fix solr startup
0107b1d
@llelf
minor yz_solr_proc fixes
bd2adca
@llelf
maven/idea files
681d671
@llelf
ant build.xml for java files
251f7e5
@llelf
fix SimpleQueryExample
963363b
@llelf
XXX handler.EntropyData for solr6
9df8638
@llelf
trivial FQShardTranslator changes
49a6d49
@llelf
remove FQShardTranslator:isDistrib kludge (FIXME?)
16e6197
@llelf
c.b.y.m.Monitor: set thread name
0fae1b0
@llelf
fix solr logging
0833513
@llelf
solrconfig.xml: no need to declare /admin
67516c7
@llelf
fix jetty configuration
f4d7652
@llelf
grab-solr: restore deleted “SOLR_PKG_DIR variable is set” case
f07af4a
@llelf
tools/copy-jars: cp as the name says, not mv
4925e24
@llelf
fix solr version in build.xml
091498d
@llelf
make love not war
05f0bdf
@llelf
make sure custom jars exist
ffdafce
@llelf
precompiled jars
f533136
@llelf
yz_schema: allow v1.6
2c8d746
@llelf
grab-solr: download solr from archives
88c5231 
7.4 came ⇒ 7.3.1 disappeared everywhere!
@llelf
minor java code changes
5418cd5
@llelf
trivial Monitor.java change
8acbbaf
@llelf
modernize SimpleQueryExample
871ec25
@llelf
SIMPLE rename back
1f15141
@llelf
java changes stash
e93feb5
@llelf
EntropyData: (*many*) changes for layered index / solr7
22d8a41
llelf and others added 28 commits July 9, 2018 21:56
@llelf
explicitly run needed ./tools/*.sh in rebar.config
de5cb6b
@llelf
_yz_default: no Kurdish. TODO: check/update everything
d4f4925
@llelf
set yz.lib.dir correctly (XXX needed?)
dd4cb0b
@llelf
Revert "set yz.lib.dir correctly (XXX needed?)"
9cbd665 
This reverts commit 0fb1d04d1cbd410d6ec7cb6373fdbcb51f4a96f2.
@llelf
kill outdated java options
682ebee
@llelf
_yz_default: correct _version_ type
3027082
@llelf
tooling
0834ca4
@llelf
don't use fancy xml in jetty configs (todo: actually DO use it)
d568288 
this is from a bug-hunt (which was in a entirely different place)
@llelf
add (java) package-info
5936eb3
@llelf
tools: remove bashisms
110c517
@llelf
EntropyData: don't skip one-after ceiling doc
4bc15b4
@llelf
build-jar.sh: use provided jars if possible
77fc2a9
@llelf
tooling minor changes
d8b48d0 
copy-jars
@llelf
preliminary EntropyClient
f82c552
@llelf
compile java sources with debug on
c3ad477
@llelf
precompiled jars [yokozuna-3.2 yz_monitor-1.2]
56f062f
@llelf
tooling
119e30f
@llelf
accept application/json POST for search too
f686b9d
@llelf
“bump” version
6c789d7
@llelf
tools scripts: ‘.’ files correctly
cf698d1 
kudos to @mitchellwrosen
@llelf
pass indent=false to solr
9a934e5
@llelf
[sec] yz xml extractor: prevent XXE attack
f57ff77 
XML External Entity attack

1. if HTTP API is exposed:

  - read any file on the system — via /search/extract, the error message leaks
    file content;

  - send HTTP «GET /» request to any host — by PUT/POSTing text/xml document,
    or via /search/extract.  This is also likely riak DoS if the host is
    attacker-controlled.

2. if PB API is exposed

  - send HTTP «GET /» request to any host — by PUT/POST, see above.

Example request:

<?xml version="1.0"?>
<!DOCTYPE meow [
  <!ENTITY xxe2 SYSTEM "/etc/passwd">
  <!ENTITY xxe1 SYSTEM "http://host/ping-me">
]>
<meow>&xxe1;</meow>
@llelf
[sec] http search: get rid of ‘yz-fprof’ header handling
8fc7727 
It doesn't check user-provided path in any way.
This allows overriding any file on the system with riak permissions.
@llelf
Merge branch 'sec1' into fresh-solr
fdeffe7 
Security fixes

1. if HTTP API is exposed:

  - read any file on the system — via /search/extract, the error message leaks
    file content;

  - send HTTP «GET /» request to any host — by PUT/POSTing text/xml document,
    or via /search/extract.  This is also likely riak DoS if the host is
    attacker-controlled.

2. if PB API is exposed:

  - send HTTP «GET /» request to any host — by PUT/POST, see above.

3. if HTTP API is exposed:

  - override (with garbage) any file on the system with riak permissions.
Merge tag 'riak_kv-2.9.0p6' into fresh-solr+2.9.0p6
f6d2238
fix: update test case for cuttlefish
7988a2f
Merge branch 'fresh-solr-2.9.0p6' into fresh-solr-2.9.1
95a1bef
fix: solr jvm opts test
47894d5
@jagguli jagguli mentioned this pull request Apr 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jagguli @llelf