lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Commented] (SOLR-1523) Destructive Solr operations accept HTTP GET requests
Date Mon, 02 Dec 2013 13:44:36 GMT

    [ https://issues.apache.org/jira/browse/SOLR-1523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836512#comment-13836512
] 

Jan Høydahl commented on SOLR-1523:
-----------------------------------

Agree. But this issue feels a bit too broad talking about request handlers in general. Our
admin API technology of choice seems to be Restlet.

Perhaps create new concrete sub JIRAs, one for new Core admin REST API, one for Collections
REST API and one for enableRemoteStreaming. Are there other admin APIs to consider?

> Destructive Solr operations accept HTTP GET requests 
> -----------------------------------------------------
>
>                 Key: SOLR-1523
>                 URL: https://issues.apache.org/jira/browse/SOLR-1523
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 1.4, 3.6.2, 4.6
>            Reporter: Lance Norskog
>              Labels: security
>
> GET v.s. POST/PUT/DELETE
> The multicore implementation allows HTTP GET requests to perform system administration
commands. This means that an URL which alters the system can be bookmarked/e-mailed/etc. This
is dangerous in a production system.
> A clean implementation should give every request handler the ability to accept some HTTP
verbs and reject others. It could be just a boolean for whether it accepts a GET, or the interface
might actually have a list of verbs it accepts. 



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message