Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-10748

Disable stream.body by default

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 7.1, 8.0
    • search

    Description

      Spinoff from SOLR-9623

      Today you can issue a HTTP request parameter stream.body which will by Solr be interpreted as body content on the request, i.e. act as a POST request. This is useful for development and testing but can pose a security risk in production since users/clients with permission to to GET on various endpoints also can post by using stream.body. The classic example is &stream.body=<delete><query>:</query></delete>. And this feature cannot be turned off by configuration, it is not controlled by enableRemoteStreaming.

      This jira will add a configuration option requestDispatcher.requestParsers.enableStreamBody to the <requestParsers> tag in solrconfig as well as to the Config API. I propose to set the default value to *false*.

      Apart from security concerns, this also aligns well with our v2 API effort which tries to stick to the principle of least surprice in that GET requests shall not be able to modify state. Developers should known how to do a POST today

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            janhoy Jan Høydahl
            janhoy Jan Høydahl
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment