On 7/23/2022 9:41 AM, Gus Heck wrote:
There is something of a risk to have a server that accepts non safe get requests. All these requests are contrary to the HTTP specification ( https://www.rfc-editor.org/rfc/rfc9110.html#section-9.2.1).
If the only way to make certain things happen with a GET is via the admin UI, then I think we can close that vector by turning the admin UI off by default and requiring a config option to enable it, probably in solr.xml. I think the configs we include should NOT have that option enabled.
As you know, every capability that the admin UI has can be accomplished directly. Maybe not with just a browser, but any dedicated attacker won't limit themselves to a browser.
to another discussion (for a different email thread): Standardizing ALL configs to the same format. We currently have a mix of xml, json, and properties.
Thanks, Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org
