[ https://issues.apache.org/jira/browse/SOLR-13984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17003258#comment-17003258 ]
ASF subversion and git services commented on SOLR-13984: -------------------------------------------------------- Commit efd13f2884d55d67d73dca771fa9a2a20ae3d6ee in lucene-solr's branch refs/heads/gradle-master from Robert Muir [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=efd13f2 ] SOLR-13984: docs, changes.txt > Solr should run inside a SecurityManager > ---------------------------------------- > > Key: SOLR-13984 > URL: https://issues.apache.org/jira/browse/SOLR-13984 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Reporter: Ishan Chattopadhyaya > Assignee: Robert Muir > Priority: Major > Fix For: 8.5 > > Time Spent: 3.5h > Remaining Estimate: 0h > > To reduce the effect of attacks, esp. RCE, Solr should run inside a > SecurityManager. > Quoting Uwe here: > {quote} > The correct way to fix all issues we have seen the last time is very simple: > LET'S RUN SOLR INSIDE A SECURITY MANAGER IN PRODUCTION (like in tests). > Elasticsearch is doing this, so please please let's do this instead. But this > requires to finally get rid of the webapplication and start.jar and add our > own bootstrapping (like in tests) that configure Jetty and Security Manager > from our own org.apache.solr.bootstrap.Main.java (or similar). > {quote} > https://jira.apache.org/jira/browse/SOLR-12316?focusedCommentId=16465038&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16465038 -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org