lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-5518) Move editing config files into a new handler
Date Mon, 02 Dec 2013 17:28:37 GMT

    [ https://issues.apache.org/jira/browse/SOLR-5518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836706#comment-13836706
] 

Uwe Schindler commented on SOLR-5518:
-------------------------------------

bq. I'm not sure if there's a need to remove the "Files" Page completely, since browsing the
available files would be possible w/o the write-stuff anyway? maybe just removing the "modify"
functionality but leave the rest "as is"?

I am fine with that! So we should revert SOLR-5287 in branch_4x, remove the "Modify /new File"
button from admin UI, and all should be fine.

The current code should be committed to trunk only, and we open other issues to add "security"
to the admin request handlers before providing them to users in a stable branch. This is all
to half-baked, I don't want to risk Solr's good standing by merging this to a stable branch.
A "file manager" in Solr is way too much for a stable branch, especially if it has no security
at all.

> Move editing config files into a new handler
> --------------------------------------------
>
>                 Key: SOLR-5518
>                 URL: https://issues.apache.org/jira/browse/SOLR-5518
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 5.0, 4.7
>            Reporter: Erick Erickson
>            Assignee: Erick Erickson
>            Priority: Blocker
>         Attachments: SOLR-5518.patch, SOLR-5518.patch
>
>
> See SOLR-5287. Uwe Schindler pointed out that writing files the way 5287 is a security
vulnerability and that disabling it should be the norm. Subsequent discussion came up with
this idea.
> Writing arbitrary config files should NOT be on by default.
> We'll also incorporate Mark's idea of testing XML files before writing anywhere.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message