lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SOLR-1523) Destructive Solr operations accept HTTP GET requests
Date Mon, 02 Dec 2013 14:14:38 GMT

    [ https://issues.apache.org/jira/browse/SOLR-1523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836519#comment-13836519
] 

Uwe Schindler edited comment on SOLR-1523 at 12/2/13 2:12 PM:
--------------------------------------------------------------

This is my favourite: http://www.thetaphi.de/nukeyoursolrindex.html

bq. Another dangerous default is the solrconfig.xml <requestParsers> parameter enableRemoteStreaming="true"
which should pershaps default to false from 4.7 or 5.0. It allows anyone to delete everything
with a single GET...

This also works without remote streaming, a single {{stream.body=...}} parameter can emulate
any POST request. See my report about the edit file admin handler from yesterday: [https://issues.apache.org/jira/browse/SOLR-5287?focusedCommentId=13836061&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13836061]


was (Author: thetaphi):
This is my favourite: http://www.thetaphi.de/nukeyoursolrindex.html

bq. Another dangerous default is the solrconfig.xml <requestParsers> parameter enableRemoteStreaming="true"
which should pershaps default to false from 4.7 or 5.0. It allows anyone to delete everything
with a single GET...

This also works without remote streaming, a single {{stream.body=...}} parameter can emulate
any POST request. See my report about the edit file admin handler from yesterday.

> Destructive Solr operations accept HTTP GET requests 
> -----------------------------------------------------
>
>                 Key: SOLR-1523
>                 URL: https://issues.apache.org/jira/browse/SOLR-1523
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 1.4, 3.6.2, 4.6
>            Reporter: Lance Norskog
>              Labels: security
>
> GET v.s. POST/PUT/DELETE
> The multicore implementation allows HTTP GET requests to perform system administration
commands. This means that an URL which alters the system can be bookmarked/e-mailed/etc. This
is dangerous in a production system.
> A clean implementation should give every request handler the ability to accept some HTTP
verbs and reject others. It could be just a boolean for whether it accepts a GET, or the interface
might actually have a list of verbs it accepts. 



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message