[jira] [Commented] (SOLR-13534) Dynamic loading of jars from a url

Tue, 11 Jun 2019 13:30:07 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16861469#comment-16861469
 ] 

Tomás Fernández Löbbe commented on SOLR-13534:
----------------------------------------------

I feel we've had CVEs for much less than this. What's the security story about 
this? Is that "url" any url? Maybe there should be some indirection there, and 
have some sort of "repository" (or some other name here) that can be configured 
in solr.xml or something, or at least some sort of whitelisting.

> Dynamic loading of jars from a url
> ----------------------------------
>
>                 Key: SOLR-13534
>                 URL: https://issues.apache.org/jira/browse/SOLR-13534
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Noble Paul
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Dynamic loading is possible from {{.system}} collection. It's much easier to 
> host the jars on a remote service and load it from there. This way the user 
> should have no problem in loading jars when the {{.system}} collection is not 
> available for some reason.
> The steps should look as follows
>  # get the hash of your jar file.  {{openssl dgst -sha512 <jar>}}
>  # upload it your hosting service . say the location is 
> {{[http://host:port/my-jar/location|http://hostport/]}}
>  # create a runtime lib entry for the collection as follows
> {code:java}
> curl http://localhost:8983/solr/techproducts/config -H 
> 'Content-type:application/json' -d '{
>    "add-runtimelib": { "name":"jarblobname", 
> "sha512":"e94bb3990b39aacdabaa3eef7ca6102d96fa46766048da50269f25fd41164440a4e024d7a7fb0d5ec328cd8322bb65f5ba7886e076a8f224f78cb310fd45896d"
>  , "url" : "http://host:port/my-jar/loaction"}
> }'
> {code}
> to update the jar, just repeat the steps and use the {{update-runtimelib}} to 
> update the sha512 hash



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to