lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik Hatcher (Updated) (JIRA)" <>
Subject [jira] [Updated] (SOLR-2854) Limit remote streaming to update handlers
Date Thu, 27 Oct 2011 15:14:32 GMT


Erik Hatcher updated SOLR-2854:

    Attachment: SOLR-2854-extract_fix.patch

Here's a patch that fixes the extracting request handler to pull the stream properties after
getStream() is called.  Stepping through with a debugger showed that before this change the
metadata values were being set to null.
> Limit remote streaming to update handlers
> -----------------------------------------
>                 Key: SOLR-2854
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: David Smiley
>            Assignee: Erik Hatcher
>              Labels: security
>         Attachments: SOLR-2854-delay-stream-opening.patch, SOLR-2854-extract_fix.patch,
> I think the remote streaming feature should be limited to update request processors.
I'm not sure if there is even any use of using it on a /select, but even if there is, it's
an unintended security risk.  Observe this URL that is roughly the equivalent of an SQL injection
> http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E
> Yep; that's right -- this *search* deletes all the data in your Solr instance! If you
blocked off access to /update* based on IP then that isn't good enough.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message