Solr
  1. Solr
  2. SOLR-2854

Load URL content stream on-demand, rather than automatically

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6, 4.0-ALPHA
    • Component/s: None
    • Labels:

      Description

      I think the remote streaming feature should be limited to update request processors. I'm not sure if there is even any use of using it on a /select, but even if there is, it's an unintended security risk. Observe this URL that is roughly the equivalent of an SQL injection attack:

      http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E

      Yep; that's right – this search deletes all the data in your Solr instance! If you blocked off access to /update* based on IP then that isn't good enough.

        Issue Links

          Activity

          David Smiley made changes -
          Status Reopened [ 4 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          David Smiley made changes -
          Fix Version/s 3.6 [ 12319065 ]
          David Smiley made changes -
          David Smiley made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          David Smiley made changes -
          Link This issue relates to SOLR-2859 [ SOLR-2859 ]
          Erik Hatcher made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Erik Hatcher made changes -
          Summary Limit remote streaming to update handlers Load URL content stream on-demand, rather than automatically
          Fix Version/s 4.0 [ 12314992 ]
          Erik Hatcher made changes -
          Attachment SOLR-2854-extract_fix.patch [ 12501102 ]
          Erik Hatcher made changes -
          Assignee Erik Hatcher [ ehatcher ]
          David Smiley made changes -
          Ryan McKinley made changes -
          Field Original Value New Value
          Attachment SOLR-2854-delay-stream-opening.patch [ 12500878 ]
          David Smiley created issue -

            People

            • Assignee:
              Erik Hatcher
              Reporter:
              David Smiley
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development