SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability

[Sachpat]

Description

This is the fix for CVE-2019-17558: Velocity custom template RCE vulnerability, which was fixed for 8.3 and I provided the same fix for 7.7 as per the discussion here:
https://issues.apache.org/jira/browse/SOLR-13971?focusedCommentId=17010489&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17010489

Checklist

Please review the following and check all that apply:

• I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
• I have created a Jira issue and added the issue ID to my pull request title.
• I have given Solr maintainers access to contribute to my PR branch. (optional but recommended)
• I have developed this patch against the master branch.
• I have run ant precommit and the appropriate test suite.
• I have added tests for my changes.
• I have added documentation for the Ref Guide (for Solr changes only).

[Sachpat]

@chatman please take a look :)

[Sachpat]

@erikhatcher I also committed the changes for SOLR-14025 in this.

[artem-smotrakov]

Looks like it checks request.getCore().getCoreDescriptor().isConfigSetTrusted() twice. I suppose one check may be removed.

[Sachpat]

Yes, that's right @artem-smotrakov . Actually I tried to align the code according to the original patch 9dfee35. It was also the same there :) @erikhatcher , should I change it or keep it as it is?

[chatman]

Merged. Thanks. Lets close this PR.

[Sachpat]

Thanks for merging it @chatman . Will close this PR now.

[rhtham]

@chatman I am trying to figure out if the following is a mitigation step for CVE-2019-17558 on SOLR 6.1. None of our solrconfig.xml contains the lib references to the velocity jar files as follows:

lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib" regex="..jar"
lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-velocity-\d..jar"

It doesn't appear that you can add these jars references using the config API. Without these references, you are not able to flip the params.resource.loader.enabled to true using the config API. If you are not able to flip the flag and none of your cores have these lib references then is the risk present?

Thanks in advance!

[erikhatcher]

No. Without those libs, no risk present.