Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-2854

Load URL content stream on-demand, rather than automatically

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.6, 4.0-ALPHA
    • None

    Description

      I think the remote streaming feature should be limited to update request processors. I'm not sure if there is even any use of using it on a /select, but even if there is, it's an unintended security risk. Observe this URL that is roughly the equivalent of an SQL injection attack:

      http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E

      Yep; that's right – this search deletes all the data in your Solr instance! If you blocked off access to /update* based on IP then that isn't good enough.

      Attachments

        1. SOLR-2854_branch_3x_remote_streaming_fix.patch
          13 kB
          David Smiley
        2. SOLR-2854_test_remote_streaming_not_done_on_select.patch
          5 kB
          David Smiley
        3. SOLR-2854-delay-stream-opening.patch
          1.0 kB
          Ryan McKinley
        4. SOLR-2854-extract_fix.patch
          2 kB
          Erik Hatcher

        Issue Links

          Activity

            People

              ehatcher Erik Hatcher
              dsmiley David Smiley
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: