lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joel Bernstein (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (SOLR-13987) fix admin UI to not rely on javascript eval()
Date Wed, 04 Dec 2019 16:59:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16987994#comment-16987994
] 

Joel Bernstein edited comment on SOLR-13987 at 12/4/19 4:58 PM:
----------------------------------------------------------------

I have a question and a possible approach.

Is the main issue here that people *want* to expose Solr to the open internet, or that people
may expose Solr to the open internet by mistake? Or is there some other concern about internal
attacks?

Here is a suggestion that I would be willing to take on to resolve this specific security
issue. The suggestion is to have Solr start in "headless" modeĀ  by default. This would effectively
turn off the admin. But a flag could be used to turn on the admin at startup.

How do people feel about this suggestion?


was (Author: joel.bernstein):
I have a question and a possible approach.

Is the main issue here that people *want* to expose Solr to the open internet, or that people
may expose Solr to the open internet by mistake? Or is there some other concern about internal
attacks?

Here is a suggestion that I would be willing to take on to resolve this specific security
issue. The suggestion is have Solr start in "headless" modeĀ  by default. This would effectively
turn off the admin. But a flag could be used to turn on the admin at startup.

How do people feel about this suggestion?

> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow this eval:
means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org


Mime
View raw message