Fixed: Execution of queries without authentication (OFBIZ-12857)

The problem lies with the Solr Plugin for OFBiz. It allows the execution of queries without authentication. This fixes it and, because it's more general, also fixes the CVE-2022-47501 ("Arbitrary file reading vulnerability in Solr") that has been handled by OFBIZ-12792. Conflicts handled by hand
apache · Sep 22, 2023 · 998bf51 · 998bf51
1 parent 06dd961
commit 998bf51
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
@@ -23,6 +23,7 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Properties;
@@ -71,9 +72,14 @@ public void init(FilterConfig config) throws ServletException {
         super.init(config);
     }
 
-    /**
-     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
-     */
+    private boolean userIsUnauthorized(HttpServletRequest httpRequest) {
+        HttpSession session = httpRequest.getSession();
+        GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
+        return UtilValidate.isEmpty(userLogin) || !LoginWorker.hasBasePermission(userLogin, httpRequest);
+    }
+
+    /** Do filter */
+    @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
         HttpServletRequest httpRequest = (HttpServletRequest) request;
         HttpServletResponse httpResponse = (HttpServletResponse) response;
@@ -82,11 +88,15 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         // check if the request is from an authorized user
         String servletPath = httpRequest.getServletPath();
 
-        if (servletPath.equals("/solrdefault/debug/dump")) {
+        List<String> solrCoreNames = getCores().getAllCoreNames();
+        boolean userTriesToAccessAnySolrCore = solrCoreNames.stream().anyMatch(
+                coreName -> servletPath.matches(String.format("/%s/.*", coreName)));
+
+        // check if the request is from an authorized user
+        if (userTriesToAccessAnySolrCore && userIsUnauthorized(httpRequest)) {
             sendJsonHeaderMessage(httpRequest, httpResponse, null, "SolrErrorUnauthorisedRequestForSecurityReason", null, locale);
             return;
         }
-
         if (UtilValidate.isNotEmpty(servletPath) && (servletPath.startsWith("/admin/") || servletPath.endsWith("/update")
                 || servletPath.endsWith("/update/json") || servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract")
                 || servletPath.endsWith("/replication") || servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {