lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik Hatcher (Commented) (JIRA)" <>
Subject [jira] [Commented] (SOLR-2854) Limit remote streaming to update handlers
Date Wed, 26 Oct 2011 13:05:32 GMT


Erik Hatcher commented on SOLR-2854:

I don't think we should restrict non-update request handlers from handling streams.  Consider
DocumentAnalysisRequestHandler - it's handy to be able to stream in text for analysis.  There
are other request handlers that leverage this as well.

Perhaps, though, a solution is to not allow streams to be resolved unless they are truly needed
by the request handler?  In your example, there is no need for the standard search request
handler to access any streams and thus that URL shouldn't be hit.
> Limit remote streaming to update handlers
> -----------------------------------------
>                 Key: SOLR-2854
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: David Smiley
>              Labels: security
> I think the remote streaming feature should be limited to update request processors.
I'm not sure if there is even any use of using it on a /select, but even if there is, it's
an unintended security risk.  Observe this URL that is roughly the equivalent of an SQL injection
> http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E
> Yep; that's right -- this *search* deletes all the data in your Solr instance! If you
blocked off access to /update* based on IP then that isn't good enough.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message