lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noble Paul (JIRA)" <>
Subject [jira] [Commented] (SOLR-1523) Destructive Solr operations accept HTTP GET requests
Date Mon, 02 Dec 2013 13:30:36 GMT


Noble Paul commented on SOLR-1523:

I still believe we should just  fix this. It is very easy to screw up stuff over http GET

> Destructive Solr operations accept HTTP GET requests 
> -----------------------------------------------------
>                 Key: SOLR-1523
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 1.4, 3.6.2, 4.6
>            Reporter: Lance Norskog
>              Labels: security
> The multicore implementation allows HTTP GET requests to perform system administration
commands. This means that an URL which alters the system can be bookmarked/e-mailed/etc. This
is dangerous in a production system.
> A clean implementation should give every request handler the ability to accept some HTTP
verbs and reject others. It could be just a boolean for whether it accepts a GET, or the interface
might actually have a list of verbs it accepts. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message