On Sat, Jul 23, 2022 at 1:38 PM Shawn Heisey <apa...@elyograg.org> wrote:
> On 7/23/2022 9:41 AM, Gus Heck wrote: > > There is something of a risk to have a server that accepts non safe get > > requests. All these requests are contrary to the HTTP specification ( > > https://www.rfc-editor.org/rfc/rfc9110.html#section-9.2.1). > > If the only way to make certain things happen with a GET is via the > admin UI, then I think we can close that vector by turning the admin UI > off by default and requiring a config option to enable it, probably in > solr.xml. The admin UI is definitely not required presently to make persistent changes to solr. The the V1 api is get request based. Only if one were to turn off v1 (i.e. deconfigure it's servlet in a hypothetical future) would that become true. If we were to try to turn various versions of the API's or feature areas on and off it would imply yet another if check for yet another system property or some such that runs on every request. Much better if the inherent dispatch of the server started the request off in a servlet focused on that feature (or returned 404). As I think was mentioned previously in another discussion where I brought this up we do have some difficulty with the order of some of our api commands because the collection is part of the url ahead of the verb that would normally denote the servlet i.e. we have /solr/collection1/update instead of /solr/update/collection1 so some URL remapping for back compat might become necessary, but that's an easily solved problem I think. (jetty.xml is already using the rewrite handler for other things, so that might be a place to start) -Gus -- http://www.needhamsoftware.com (work) http://www.the111shift.com (play)
