lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik Hatcher (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-2854) Limit remote streaming to update handlers
Date Thu, 27 Oct 2011 15:18:32 GMT

    [ https://issues.apache.org/jira/browse/SOLR-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13137204#comment-13137204
] 

Erik Hatcher commented on SOLR-2854:
------------------------------------

bq. Definitely should be investigated... exception being swallowed somewhere? getStream()
being called more than once? 

No exception or multiple getStream() calls.  Turns out the metadata attributes (which are
ignored in the example /update/extract config) were being set to null (as evidenced by stepping
through with a debugger attached).  The latest patch fixes this.  All seems to be well otherwise
in investigating the use of other content stream usage where getStream() is called first.
  I'm going to commit this patch and add a comment to the getStream() method to note that
it should be called before the other properties.
                
> Limit remote streaming to update handlers
> -----------------------------------------
>
>                 Key: SOLR-2854
>                 URL: https://issues.apache.org/jira/browse/SOLR-2854
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: David Smiley
>            Assignee: Erik Hatcher
>              Labels: security
>         Attachments: SOLR-2854-delay-stream-opening.patch, SOLR-2854-extract_fix.patch,
SOLR-2854_test_remote_streaming_not_done_on_select.patch
>
>
> I think the remote streaming feature should be limited to update request processors.
I'm not sure if there is even any use of using it on a /select, but even if there is, it's
an unintended security risk.  Observe this URL that is roughly the equivalent of an SQL injection
attack:
> http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E
> Yep; that's right -- this *search* deletes all the data in your Solr instance! If you
blocked off access to /update* based on IP then that isn't good enough.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message