lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Smiley (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SOLR-2854) Limit remote streaming to update handlers
Date Wed, 26 Oct 2011 04:49:32 GMT
Limit remote streaming to update handlers
-----------------------------------------

                 Key: SOLR-2854
                 URL: https://issues.apache.org/jira/browse/SOLR-2854
             Project: Solr
          Issue Type: Improvement
            Reporter: David Smiley


I think the remote streaming feature should be limited to update request processors. I'm not
sure if there is even any use of using it on a /select, but even if there is, it's an unintended
security risk.  Observe this URL that is roughly the equivalent of an SQL injection attack:

http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E

Yep; that's right -- this *search* deletes all the data in your Solr instance! If you blocked
off access to /update* based on IP then that isn't good enough.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message