[jira] Created: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] Created: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
SolrDispatchFilter needs to sanitize exception message
------------------------------------------------------

                 Key: SOLR-1594
                 URL: https://issues.apache.org/jira/browse/SOLR-1594
             Project: Solr
          Issue Type: Bug
    Affects Versions: 1.4
            Reporter: Bill Au
            Assignee: Bill Au
             Fix For: 1.5
         Attachments: solr-1594.patch

SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Updated: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)

     [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bill Au updated SOLR-1594:
--------------------------

    Attachment: solr-1594.patch

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
In reply to this post by Tim Allison (Jira)

    [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781491#action_12781491 ]

Yonik Seeley commented on SOLR-1594:
------------------------------------

What bad things happen w/o this patch?

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
In reply to this post by Tim Allison (Jira)

    [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781496#action_12781496 ]

Bill Au commented on SOLR-1594:
-------------------------------

Try running this query:

solr/select/?q=title:"<script>alert("xss")</script>

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
In reply to this post by Tim Allison (Jira)

    [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781504#action_12781504 ]

Yonik Seeley commented on SOLR-1594:
------------------------------------

OK....
{code}
curl 'http://localhost:8983/solr/select/?q=title:"<script>alert("xss")</script>'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 400 </title>
</head>
<body><h2>HTTP ERROR: 400</h2><pre>org.apache.lucene.queryParser.ParseException: Cannot parse 'title:"&lt;script&gt;alert("xss")&lt;/script&gt;': Lexical error at line 1, column 37.  Encountered: &lt;EOF&gt; after : "\")&lt;/script&gt;"</pre>
<p>RequestURI=/solr/select/</p><p><i><small><a href="http://jetty.mortbay.org/">Powered by Jetty://</a></small></i></p><br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                

</body>
</html>
{code}

From the browser, it displays:
{code}
HTTP ERROR: 400

org.apache.lucene.queryParser.ParseException: Cannot parse 'title:"<script>alert("xss")</script>': Lexical error at line 1, column 37.  Encountered: <EOF> after : "\")</script>"

RequestURI=/solr/select/

Powered by Jetty://
{code}

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
In reply to this post by Tim Allison (Jira)

    [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781507#action_12781507 ]

Bill Au commented on SOLR-1594:
-------------------------------

Jetty is sanitizing both the HTTP response line and the response body so it is OK.  I know of at least one appserver that is not doing that.

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
In reply to this post by Tim Allison (Jira)

    [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781513#action_12781513 ]

Yonik Seeley commented on SOLR-1594:
------------------------------------

Ahhh.  If we escape it, will it then be double escaped by the time it gets out of jetty?


> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
In reply to this post by Tim Allison (Jira)

    [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781522#action_12781522 ]

Bill Au commented on SOLR-1594:
-------------------------------

I just tried it and Jetty does double-escape:

org.apache.lucene.queryParser.ParseException: Cannot parse '"&amp;lt;script&amp;gt;alert("xss")&amp;lt;/script&amp;gt;': Lexical error at line 1, column 31.  Encountered: &amp;lt;EOF&amp;gt; after : "\")&amp;lt;/script&amp;gt;"

So should we leave it up to the appserver to do the right thing or should Solr be more proactive?  To me double-escaping is a lesser evil than being vulnerable to xss attack.

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
In reply to this post by Tim Allison (Jira)

    [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781530#action_12781530 ]

Hoss Man commented on SOLR-1594:
--------------------------------



bq. So should we leave it up to the appserver to do the right thing or should Solr be more proactive?

As long as we're relying on the default error page of the servlet container, we shouldnt' attempt to modify the messages in anyway, becaus that will just screw things up for servlet containers that do the correct behavior.  if there is an XSS risk, it's caused by the servlet container, and that's where it should be fixed.

i don't mind putting in work arrounds for specific servlet containers when it doesn't affect anybody else, but double escaping would defiitely cause problems for people who have good default error pages in their servlet containers (or who customize the solr webapp to add their own error page)

we should focus our efforts on something like SOLR-141 instead of trying to apply html specific sanitizing.

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Resolved: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message

Tim Allison (Jira)
In reply to this post by Tim Allison (Jira)

     [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bill Au resolved SOLR-1594.
---------------------------

    Resolution: Invalid

This same problem had been reported against and fixed in Tomcat.  I have reported it to the vendor of my appserver and they are working on a fix.  Marking as invalid.

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.  I will attach a patch shortly.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.