Return-Path: X-Original-To: apmail-lucene-dev-archive@www.apache.org Delivered-To: apmail-lucene-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BE70473CF for ; Wed, 26 Oct 2011 14:53:55 +0000 (UTC) Received: (qmail 70164 invoked by uid 500); 26 Oct 2011 14:53:54 -0000 Delivered-To: apmail-lucene-dev-archive@lucene.apache.org Received: (qmail 70115 invoked by uid 500); 26 Oct 2011 14:53:54 -0000 Mailing-List: contact dev-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@lucene.apache.org Delivered-To: mailing list dev@lucene.apache.org Received: (qmail 70108 invoked by uid 99); 26 Oct 2011 14:53:54 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Oct 2011 14:53:54 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Oct 2011 14:53:52 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 30ECC31C8DC for ; Wed, 26 Oct 2011 14:51:32 +0000 (UTC) Date: Wed, 26 Oct 2011 14:51:32 +0000 (UTC) From: "Erik Hatcher (Commented) (JIRA)" To: dev@lucene.apache.org Message-ID: <1242170003.18462.1319640692202.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <2027154311.16625.1319604572731.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (SOLR-2854) Limit remote streaming to update handlers MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/SOLR-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13136024#comment-13136024 ] Erik Hatcher commented on SOLR-2854: ------------------------------------ +1 on Ryan's approach. David, does that work for you? Can someone drum up some test cases to add along with this? Also, this isn't quite like a SQL injection attack where malicious strings can be put right into the query. It would require some application level flaws to send an arbitrary stream.url parameter over with user/data input, especially to a /select search request. But certainly the point is taken that bad things can happen with stream.url abuse. > Limit remote streaming to update handlers > ----------------------------------------- > > Key: SOLR-2854 > URL: https://issues.apache.org/jira/browse/SOLR-2854 > Project: Solr > Issue Type: Improvement > Reporter: David Smiley > Labels: security > Attachments: SOLR-2854-delay-stream-opening.patch > > > I think the remote streaming feature should be limited to update request processors. I'm not sure if there is even any use of using it on a /select, but even if there is, it's an unintended security risk. Observe this URL that is roughly the equivalent of an SQL injection attack: > http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E > Yep; that's right -- this *search* deletes all the data in your Solr instance! If you blocked off access to /update* based on IP then that isn't good enough. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional commands, e-mail: dev-help@lucene.apache.org