lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Gerlowski (Jira)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
Date Wed, 04 Dec 2019 17:46:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988042#comment-16988042
] 

Jason Gerlowski commented on SOLR-13987:
----------------------------------------

Personally, I like the idea of having the Admin UI be disable-able via a flag.  It's a quick
change (relative to other proposed options), doesn't require scarce Javascript/angular expertise,
and users who have followed the community's advice and kept their Solr behind a firewall can
use the same old UI without security concerns.

Does a headless mode obviate the need for the {{eval}} work?  The answer probably depends
on what use-case we're trying to target here, as Joel mentioned above.  Is the concern defending
people who accidentally leave Solr open?  Or are we trying to support users who intentionally
are deploying Solr world-open, and want to use all the bells and whistles (Admin UI, etc.)?



> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow this eval:
means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org


Mime
View raw message