Details
-
Improvement
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
None
-
None
-
None
Description
Allowing untrusted configsets, i.e. those have been uploaded using the configset upload API without authx enabled, to use the <lib> directive can open up possibilities for malicious users to include insecure contribs libraries.
Whoever wants to use their own libraries can add them to the classpath of Solr (i.e. place them wherever solr-core-*jar resides). For them, the <lib> directive won't be necessary anyway.
Update: another workaround (that is NOT RECOMMENDED) for this problem is to set the configset's "trusted" flag to true using direct ZK edit:
bin/zkCli.sh -server zk1:2181 set /configs/myConfigSet '{"trusted": "true"}'
^ This requires Zookeeper's CLI.
The same can be done via Java as well (here, we're unsetting the znode so that it is trusted):
try (SolrZkClient zkClient = new SolrZkClient(zookeeper.getHost() + ":" + zookeeper.getPort(), 100)) {
zkClient.setData(ZkConfigManager.CONFIGS_ZKNODE + "/" + configset, (byte[]) null, true);
}
Attachments
Issue Links
- is a child of
-
SOLR-13442 Lean Solr with minimal functionality
-
- Open
-
- links to
