lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <>
Subject [jira] [Commented] (SOLR-1523) Destructive Solr operations accept HTTP GET requests
Date Mon, 02 Dec 2013 13:24:37 GMT


Jan Høydahl commented on SOLR-1523:

I'm tempted to close this as Won't fix, as it seems people are in general happy with the APIs.

However, since we got the new Schema REST API we actually started doing admin stuff with proper
REST. I like that. Question is whether there is anything to gain by re-writing the Cores API
and the Collections API to use RestLet as well, getting away with the {{action=CREATE}} kind
of syntax and instead doing it with POST/PUT. Perhaps for 5.0?

Another dangerous default is the solrconfig.xml {{<requestParsers>}} parameter {{enableRemoteStreaming="true"}}
which should pershaps default to {{false}} from 4.7 or 5.0. It allows anyone to delete everything
with a single GET...

> Destructive Solr operations accept HTTP GET requests 
> -----------------------------------------------------
>                 Key: SOLR-1523
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 1.4, 3.6.2, 4.6
>            Reporter: Lance Norskog
>              Labels: security
> The multicore implementation allows HTTP GET requests to perform system administration
commands. This means that an URL which alters the system can be bookmarked/e-mailed/etc. This
is dangerous in a production system.
> A clean implementation should give every request handler the ability to accept some HTTP
verbs and reject others. It could be just a boolean for whether it accepts a GET, or the interface
might actually have a list of verbs it accepts. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message