lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Smiley (Created) (JIRA)" <>
Subject [jira] [Created] (SOLR-2854) Limit remote streaming to update handlers
Date Wed, 26 Oct 2011 04:49:32 GMT
Limit remote streaming to update handlers

                 Key: SOLR-2854
             Project: Solr
          Issue Type: Improvement
            Reporter: David Smiley

I think the remote streaming feature should be limited to update request processors. I'm not
sure if there is even any use of using it on a /select, but even if there is, it's an unintended
security risk.  Observe this URL that is roughly the equivalent of an SQL injection attack:


Yep; that's right -- this *search* deletes all the data in your Solr instance! If you blocked
off access to /update* based on IP then that isn't good enough.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message