lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Burton-West <tburt...@umich.edu>
Subject Solr 4.7 example solrconfig.xml has confusing comments about a security vulnerability
Date Wed, 09 Apr 2014 17:13:51 GMT
In /SOLR-5522  the handler configuration code for the admin/fileedit
request handler which would o allow modification of Solr Config files was
removed from the example solrconfig.xml, but the comments were left in the
example file.

http://svn.apache.org/viewvc/lucene/dev/branches/lucene_solr_4_7/solr/example/solr/collection1/conf/solrconfig.xml?r1=1547261&r2=1547270

 Thus the warning (appended below) was left in the example solrconfig.xml.
  I spent a bit of time trying to figure out how the ping/healthcheck
request handler would allow the Solr UI to edit config files before I
figured out that the comment applied to a request handler that had been
removed from the example file.

Should I open a JIRA issue and provide a patch?


Tom


  <!--
    Enabling this request handler (which is NOT a default part of the admin
handler) will allow the Solr UI to edit
    all the config files. This is intended for secure/development use ONLY!
Leaving available and publically
    accessible is a security vulnerability and should be done with extreme
caution!
  -->
  <!-- ping/healthcheck -->
  <requestHandler name="/admin/ping" class="solr.PingRequestHandler">
    <lst name="invariants">

Mime
View raw message