I think the remote streaming feature should be limited to update request processors. I'm not sure if there is even any use of using it on a /select, but even if there is, it's an unintended security risk. Observe this URL that is roughly the equivalent of an SQL injection attack:
Yep; that's right – this search deletes all the data in your Solr instance! If you blocked off access to /update* based on IP then that isn't good enough.
- relates to
SOLR-2859 solrconfig should declare which request handlers can use remote streaming