[ https://issues.apache.org/jira/browse/SOLR-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Erik Hatcher resolved SOLR-2854. -------------------------------- Resolution: Fixed > Load URL content stream on-demand, rather than automatically > ------------------------------------------------------------ > > Key: SOLR-2854 > URL: https://issues.apache.org/jira/browse/SOLR-2854 > Project: Solr > Issue Type: Improvement > Reporter: David Smiley > Assignee: Erik Hatcher > Labels: security > Fix For: 4.0 > > Attachments: SOLR-2854-delay-stream-opening.patch, > SOLR-2854-extract_fix.patch, > SOLR-2854_test_remote_streaming_not_done_on_select.patch > > > I think the remote streaming feature should be limited to update request > processors. I'm not sure if there is even any use of using it on a /select, > but even if there is, it's an unintended security risk. Observe this URL > that is roughly the equivalent of an SQL injection attack: > http://localhost:8983/solr/select?q=*:*&indent=on&wt=ruby&rows=2&stream.url=http%3A%2F%2Flocalhost%3A8983%2Fsolr%2Fupdate%3Fcommit%3Dtruetream.body%3D%3Cdelete%3E%3Cquery%3E*%3A*%3C%2Fquery%3E%3C%2Fdelete%3E > Yep; that's right -- this *search* deletes all the data in your Solr > instance! If you blocked off access to /update* based on IP then that isn't > good enough. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org