[lucene-solr] 06/11: Fix CVE-2017-3163

[Markus Koschany]

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch master
in repository lucene-solr.

commit 4e5f8a68c6a05d98dd90ee5d3d731e2445c9313a
Author: Markus Koschany <apo at debian.org>
Date:   Sun Jan 14 00:54:38 2018 +0100

    Fix CVE-2017-3163
---
 debian/patches/CVE-2017-3163.patch | 50 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 51 insertions(+)

diff --git a/debian/patches/CVE-2017-3163.patch b/debian/patches/CVE-2017-3163.patch
new file mode 100644
index 0000000..a5140ff
--- /dev/null
+++ b/debian/patches/CVE-2017-3163.patch
@@ -0,0 +1,50 @@
+Description: Validation of filename params in ReplicationHandler
+ This is a backport of upstream patch available in commit
+ ae789c252687dc8a18bfdb677f2e6cd14570e4db made by janhoy <janhoy at apache.org>
+Author: Lucas Kanashiro <kanashiro at debian.org>
+Last-Updated: 2017-07-21
+
+--- a/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java
++++ b/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java
+@@ -42,6 +42,8 @@
+ import java.io.*;
+ import java.nio.ByteBuffer;
+ import java.nio.channels.FileChannel;
++import java.nio.file.Path;
++import java.nio.file.Paths;
+ import java.text.NumberFormat;
+ import java.util.*;
+ import java.util.concurrent.locks.ReentrantLock;
+@@ -1010,8 +1012,8 @@
+     }
+ 
+     public void write(OutputStream out) throws IOException {
+-      String fileName = params.get(FILE);
+-      String cfileName = params.get(CONF_FILE_SHORT);
++      String fileName = validateFilenameOrError(params.get(FILE));
++      String cfileName = validateFilenameOrError(params.get(CONF_FILE_SHORT));
+       String sOffset = params.get(OFFSET);
+       String sLen = params.get(LEN);
+       String compress = params.get(COMPRESSION);
+@@ -1091,6 +1093,21 @@
+       }
+     }
+ 
++    // Throw exception on directory traversal attempts
++    protected String validateFilenameOrError(String filename) {
++      if (filename != null) {
++        Path filePath = Paths.get(filename);
++        for (Path subpath : filePath) {
++          if ("..".equals(subpath.toString())) {
++            throw new SolrException(ErrorCode.FORBIDDEN, "File name cannot contain ..");
++          }
++        }
++        if (filePath.isAbsolute()) {
++          throw new SolrException(ErrorCode.FORBIDDEN, "File name must be relative");
++        }
++        return filename;
++      } else return null;
++    }
+ 
+     /**
+      * Used to write a marker for EOF
diff --git a/debian/patches/series b/debian/patches/series
index 133e43c..efe950d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ commons-codec-compatibility.patch
 java8-compatibility.patch
 CVE-2017-12629.patch
 remove-RunExecutableListener.patch
+CVE-2017-3163.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/lucene-solr.git