lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Updated] (SOLR-10748) Disable stream.body by default
Date Thu, 06 Jul 2017 12:53:00 GMT

     [ https://issues.apache.org/jira/browse/SOLR-10748?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jan Høydahl updated SOLR-10748:
-------------------------------
    Attachment: SOLR-10748.patch

Attaching latest patch that will be committed
* Added RefGuide URL in error message so people easily can find how to enable
* Added example curl command to refGuide that can be copy/pasted

> Disable stream.body by default
> ------------------------------
>
>                 Key: SOLR-10748
>                 URL: https://issues.apache.org/jira/browse/SOLR-10748
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: search
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>              Labels: security, streaming
>             Fix For: master (8.0), 7.1
>
>         Attachments: SOLR-10748.patch, SOLR-10748.patch
>
>
> Spinoff from SOLR-9623
> Today you can issue a HTTP request parameter {{stream.body}} which will by Solr be interpreted
as body content on the request, i.e. act as a POST request. This is useful for development
and testing but can pose a security risk in production since users/clients with permission
to to GET on various endpoints also can post by {{using stream.body}}. The classic example
is {{&stream.body=<delete><query>*:*</query></delete>}}. And this
feature cannot be turned off by configuration, it is not controlled by {{enableRemoteStreaming}}.
> This jira will add a configuration option {{requestDispatcher.requestParsers.enableStreamBody}}
to the {{<requestParsers>}} tag in solrconfig as well as to the Config API. I propose
to set the default value to **{{false}}**.
> Apart from security concerns, this also aligns well with our v2 API effort which tries
to stick to the principle of least surprice in that GET requests shall not be able to modify
state. Developers should known how to do a POST today :)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message