Ishan Chattopadhyaya created SOLR-14071:
-------------------------------------------
Summary: Untrusted configsets shouldn't be allowed to use <lib>
directive
Key: SOLR-14071
URL: https://issues.apache.org/jira/browse/SOLR-14071
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Ishan Chattopadhyaya
Fix For: 8.4
Allowing untrusted configsets, i.e. those have been uploaded using the
configset upload API without authx enabled, to use the <lib> directive can open
up possibilities for malicious users to include insecure contribs libraries.
Whoever wants to use their own libraries can add them to the classpath of Solr
(i.e. place them wherever solr-core-*jar resides). For them, the <lib>
directive won't be necessary anyway.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
