Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-8167

RuleBasedAuthorization plugin bypass with POST requests

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.3.1
    • 5.3.2, 5.4, 6.0
    • security

    Description

      We are using the RuleBasedAuthorization plugin. We are using the
      collection-admin-edit permission to secure the collections API.

      What I have found is that if I try to, say, create or delete a
      collection using a GET request I am prompted to authenticate as
      expected.

      If I try the same operation using a POST request, it lets me straight
      through and I can delete collections without authenticating.

      I emailed noble.paul directly about this initially and he has confirmed this as a bug.

      Attachments

        1. SOLR-8167.patch
          2 kB
          Noble Paul

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. SOLR-8439 Solr Security - Permission read does not work as expected

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              anshum Anshum Gupta
              pwigg Philip Wigg
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: