lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan McKinley (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-2854) Limit remote streaming to update handlers
Date Wed, 26 Oct 2011 13:19:32 GMT

     [ https://issues.apache.org/jira/browse/SOLR-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ryan McKinley updated SOLR-2854:
--------------------------------

    Attachment: SOLR-2854-delay-stream-opening.patch

Here is a quick totally untested patch that should behave as Erik describes.  Rather then
create the URLConnection in the constructor, it waits for someone to call getStream()

this will make effectively limit streaming to requests that hit something that uses it
                
> Limit remote streaming to update handlers
> -----------------------------------------
>
>                 Key: SOLR-2854
>                 URL: https://issues.apache.org/jira/browse/SOLR-2854
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: David Smiley
>              Labels: security
>         Attachments: SOLR-2854-delay-stream-opening.patch
>
>
> I think the remote streaming feature should be limited to update request processors.
I'm not sure if there is even any use of using it on a /select, but even if there is, it's
an unintended security risk.  Observe this URL that is roughly the equivalent of an SQL injection
attack:
> http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E
> Yep; that's right -- this *search* deletes all the data in your Solr instance! If you
blocked off access to /update* based on IP then that isn't good enough.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message