lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joel Bernstein (Jira)" <>
Subject [jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
Date Wed, 04 Dec 2019 16:58:00 GMT


Joel Bernstein commented on SOLR-13987:

I have a question and a possible approach.

Is the main issue here that people *want* to expose Solr to the open internet, or that people
may expose Solr to the open internet by mistake? Is is there some other concern about internal

Here is a suggestion that I would be willing to take on to resolve this specific security
issue. The suggestion is have Solr start in "headless" modeĀ  by default. This would effectively
turn off the admin. But a flag could be used to turn on the admin at startup.

How do people feel about this suggestion?

> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>                 Key: SOLR-13987
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
> Followup from SOLR-13982: currently any CSP is weak because it must allow this eval:
means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the browser.

This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message