Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11495

Reduce the list of which query parsers are loaded by default

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0
    • Fix Version/s: None
    • Component/s: query parsers
    • Labels:
      None

      Description

      Virtually all of the query parsers that Solr supports are enabled by default, in a map created in QParserPlugin.java.

      To reduce the possible attack surface of a default Solr installation, I believe that the list of default parsers should be limited to a small handful of the full list that's available. I will discuss specific ideas for that list in comments.

      I think the bar should be very high for admission to the default parser list. That list should only include those that are most commonly used by the community. Only the most common parsers will have had extensive review for security issues.

      Edit: moved description from "Docs Text" field where it was initially added mistakenly.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                elyograg Shawn Heisey
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated: