From e897e311b9a74ba2f20d3a8138bc0a4b2eca106f Mon Sep 17 00:00:00 2001
From: Antonio Nikishaev <me@lelf.lu>
Date: Fri, 29 Mar 2019 16:08:54 +0400
Subject: [PATCH] [sec] replace, not merge search parameters

It is a security hole otherwise, as you can make solr to perform HTTP
requests to arbitrary hosts.
---
 src/yz_solr.erl | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/yz_solr.erl b/src/yz_solr.erl
index b600ffb9..0c1eed8d 100644
--- a/src/yz_solr.erl
+++ b/src/yz_solr.erl
@@ -320,7 +320,14 @@ dist_search(Core, Headers, Params) ->
             ShardFrags = [shard_frag(Core, HostPort) || HostPort <- HostPorts],
             ShardFrags2 = string:join(ShardFrags, ","),
             ShardFQs = build_shard_fq(FilterPairs, Mapping),
-            Params2 = Params ++ [{shards, ShardFrags2}|ShardFQs],
+            %% @todo normalise and filter everything that cannot be ever a valid solr
+            %% param.  It should be possible.  The only problematic thing is
+            %% $substitutions, but they can have their own prefix namespace, like
+            %% param-foo, param-bar.
+            %% For now: just make sure we override shards
+            Params2 = lists:ukeymerge(1,
+                                      lists:keysort(1, [{"shards", ShardFrags2}|ShardFQs]),
+                                      lists:keysort(1, Params)),
             search(Core, Headers, Params2);
         {error, _} = Err ->
             Err