[jira] [Assigned] (SOLR-14792) Remove VelocityResponseWriter from Solr 9
[ https://issues.apache.org/jira/browse/SOLR-14792?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher reassigned SOLR-14792: --- Assignee: Erik Hatcher > Remove VelocityResponseWriter from Solr 9 > - > > Key: SOLR-14792 > URL: https://issues.apache.org/jira/browse/SOLR-14792 > Project: Solr > Issue Type: Improvement >Affects Versions: master (9.0) >Reporter: Erik Hatcher >Assignee: Erik Hatcher >Priority: Blocker > Time Spent: 1h > Remaining Estimate: 0h > > VelocityResponseWriter was deprecated in SOLR-14065. It can now be removed > from 9's code branch. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Resolved] (SOLR-14799) JWT authentication plugin should not require subject, unless set as principalClaim
[ https://issues.apache.org/jira/browse/SOLR-14799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher resolved SOLR-14799. - Resolution: Fixed > JWT authentication plugin should not require subject, unless set as > principalClaim > -- > > Key: SOLR-14799 > URL: https://issues.apache.org/jira/browse/SOLR-14799 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Erik Hatcher >Assignee: Erik Hatcher >Priority: Blocker > Fix For: 8.7 > > Time Spent: 40m > Remaining Estimate: 0h > > Some environments don't use "sub" (subject) claim with Solr, but rather rely > on a custom claim (such as "solrid") to be required. This ticket is about > making subject claim optional, and only required when principalClaim=sub -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Assigned] (SOLR-14799) JWT authentication plugin should not require subject, unless set as principalClaim
[ https://issues.apache.org/jira/browse/SOLR-14799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher reassigned SOLR-14799: --- Assignee: Erik Hatcher > JWT authentication plugin should not require subject, unless set as > principalClaim > -- > > Key: SOLR-14799 > URL: https://issues.apache.org/jira/browse/SOLR-14799 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Erik Hatcher >Assignee: Erik Hatcher >Priority: Blocker > Fix For: 8.7 > > Time Spent: 40m > Remaining Estimate: 0h > > Some environments don't use "sub" (subject) claim with Solr, but rather rely > on a custom claim (such as "solrid") to be required. This ticket is about > making subject claim optional, and only required when principalClaim=sub -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Updated] (SOLR-14799) JWT authentication plugin should not require subject, unless set as principalClaim
[ https://issues.apache.org/jira/browse/SOLR-14799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-14799: Fix Version/s: 8.7 > JWT authentication plugin should not require subject, unless set as > principalClaim > -- > > Key: SOLR-14799 > URL: https://issues.apache.org/jira/browse/SOLR-14799 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Erik Hatcher >Priority: Major > Fix For: 8.7 > > Time Spent: 40m > Remaining Estimate: 0h > > Some environments don't use "sub" (subject) claim with Solr, but rather rely > on a custom claim (such as "solrid") to be required. This ticket is about > making subject claim optional, and only required when principalClaim=sub -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Updated] (SOLR-14799) JWT authentication plugin should not require subject, unless set as principalClaim
[ https://issues.apache.org/jira/browse/SOLR-14799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-14799: Priority: Blocker (was: Major) > JWT authentication plugin should not require subject, unless set as > principalClaim > -- > > Key: SOLR-14799 > URL: https://issues.apache.org/jira/browse/SOLR-14799 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Erik Hatcher >Priority: Blocker > Fix For: 8.7 > > Time Spent: 40m > Remaining Estimate: 0h > > Some environments don't use "sub" (subject) claim with Solr, but rather rely > on a custom claim (such as "solrid") to be required. This ticket is about > making subject claim optional, and only required when principalClaim=sub -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Created] (SOLR-14799) JWT authentication plugin should not require subject, unless set as principalClaim
Erik Hatcher created SOLR-14799: --- Summary: JWT authentication plugin should not require subject, unless set as principalClaim Key: SOLR-14799 URL: https://issues.apache.org/jira/browse/SOLR-14799 Project: Solr Issue Type: Improvement Security Level: Public (Default Security Level. Issues are Public) Reporter: Erik Hatcher Some environments don't use "sub" (subject) claim with Solr, but rather rely on a custom claim (such as "solrid") to be required. This ticket is about making subject claim optional, and only required when principalClaim=sub -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Created] (SOLR-14792) Remove VelocityResponseWriter from Solr 9
Erik Hatcher created SOLR-14792: --- Summary: Remove VelocityResponseWriter from Solr 9 Key: SOLR-14792 URL: https://issues.apache.org/jira/browse/SOLR-14792 Project: Solr Issue Type: Improvement Security Level: Public (Default Security Level. Issues are Public) Affects Versions: 9 Reporter: Erik Hatcher VelocityResponseWriter was deprecated in SOLR-14065. It can now be removed from 9's code branch. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Updated] (SOLR-14541) Ensure classes that implement equals implement hashCode or suppress warnings
[ https://issues.apache.org/jira/browse/SOLR-14541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-14541: Summary: Ensure classes that implement equals implement hashCode or suppress warnings (was: Insure classes that implement equals implement hashCode or suppress warnings) > Ensure classes that implement equals implement hashCode or suppress warnings > > > Key: SOLR-14541 > URL: https://issues.apache.org/jira/browse/SOLR-14541 > Project: Solr > Issue Type: Sub-task >Reporter: Erick Erickson >Assignee: Erick Erickson >Priority: Major > > While looking at warnings, I found that the following classes generate this > warning: > *overrides equals, but neither it nor any superclass overrides hashCode > method* > I can suppress the warning, but this has been a source of errors in the past > so I'm reluctant to just do that blindly. > NOTE: The Lucene one should probably be it's own Jira if it's going to have > hashCode implemented, but here for triage. > What I need for each method is for someone who has a clue about that > particular code to render an opinion that we can safely suppress the warning > or to provide a hashCode method. > Some of these have been here for a very long time and were implemented by > people no longer active... > lucene/suggest/src/java/org/apache/lucene/search/spell/LuceneLevenshteinDistance.java:39 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/VersionedData.java:31 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/AutoScalingConfig.java:61 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/AutoScalingConfig.java:150 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/AutoScalingConfig.java:252 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/AutoScalingConfig.java:45 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/Policy.java:73 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/Preference.java:32 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/ReplicaInfo.java:39 > solr/solrj/src/java/org/apache/solr/common/cloud/ZkNodeProps.java:34 > solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java:26 > solr/solrj/src/java/org/apache/solr/common/cloud/DocCollection.java:49 > > solr/solrj/src/java/org/apache/solr/client/solrj/cloud/autoscaling/ReplicaCount.java:27 > > solr/solrj/src/java/org/apache/solr/client/solrj/io/stream/expr/StreamExpression.java:25 > > solr/solrj/src/java/org/apache/solr/client/solrj/io/stream/expr/StreamExpressionNamedParameter.java:23 > > solr/solrj/src/java/org/apache/solr/client/solrj/io/stream/CloudSolrStream.java:467 > > solr/solrj/src/java/org/apache/solr/client/solrj/io/stream/DeepRandomStream.java:417 > > solr/solrj/src/java/org/apache/solr/client/solrj/io/stream/expr/StreamExpressionValue.java:22 > solr/core/src/java/org/apache/solr/cloud/rule/Rule.java:277 > solr/core/src/java/org/apache/solr/pkg/PackageAPI.java:177 > solr/core/src/java/org/apache/solr/packagemanager/SolrPackageInstance.java:31 > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Updated] (SOLR-13971) Velocity custom template RCE vulnerability
[ https://issues.apache.org/jira/browse/SOLR-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-13971: Summary: Velocity custom template RCE vulnerability (was: CVE-2019-17558: Velocity custom template RCE vulnerability) > Velocity custom template RCE vulnerability > -- > > Key: SOLR-13971 > URL: https://issues.apache.org/jira/browse/SOLR-13971 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) >Affects Versions: 5.0, 5.5.5, 6.0, 6.6.5, 7.0, 7.7, 8.0, 8.3 >Reporter: Ishan Chattopadhyaya >Assignee: Ishan Chattopadhyaya >Priority: Blocker > Fix For: 8.4 > > Attachments: SOLR-13971.patch > > Time Spent: 20m > Remaining Estimate: 0h > > We need to disable this. There is a zero day attack in the wild. 41 stars on > this github project: > # https://github.com/jas502n/solr_rce > # https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133 > We need to disable this in a way that cannot be re-enabled using the Config > API. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Updated] (SOLR-14025) CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1
[
https://issues.apache.org/jira/browse/SOLR-14025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Erik Hatcher updated SOLR-14025:
Summary: CVE-2019-17558: Velocity response writer RCE vulnerability
persists after 8.3.1 (was: Velocity response writer RCE vulnerability persists
after 8.3.1)
> CVE-2019-17558: Velocity response writer RCE vulnerability persists after
> 8.3.1
> ---
>
> Key: SOLR-14025
> URL: https://issues.apache.org/jira/browse/SOLR-14025
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: contrib - Velocity
>Affects Versions: 8.3.1
>Reporter: Ishan Chattopadhyaya
>Assignee: Erik Hatcher
>Priority: Blocker
> Fix For: 8.4
>
> Attachments: SOLR-14025.patch, SOLR-14025.patch, SOLR-14025.patch,
> SOLR-14025.patch, SOLR-14025.patch
>
>
> [~gezapeti] from Cloudera kindly reported this to me:
> {code}
> Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the
> Velocity templates. I’m working at Cloudera on Solr and have taken the time
> to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The
> sad thing is: It’s possible to upload a properties file into ZK and add the
> resource loaders in that file. I think we should add yet-an-other option to
> make the init-from-property file functionality off by default.
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73
> this property loads the file here
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73
> apache/lucene-solr
> | Added by GitHub
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141
> apache/lucene-solr
> | Added by GitHub
> {code}
> Seems like our mitigation wasn't good enough, there's another way to load
> resources.
> I've requested him to follow procedure here
> (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I
> opened this JIRA anyway.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13971) CVE-2019-17558: Velocity custom template RCE vulnerability
[ https://issues.apache.org/jira/browse/SOLR-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17010630#comment-17010630 ] Erik Hatcher commented on SOLR-13971: - [~sachinpat...@gmail.com] - you must also include SOLR-14025's patch - [https://github.com/apache/lucene-solr/commit/9dfee35b9facbcbc9342d8bbbe52667cb6d1dced] > CVE-2019-17558: Velocity custom template RCE vulnerability > -- > > Key: SOLR-13971 > URL: https://issues.apache.org/jira/browse/SOLR-13971 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) >Affects Versions: 5.0, 5.5.5, 6.0, 6.6.5, 7.0, 7.7, 8.0, 8.3 >Reporter: Ishan Chattopadhyaya >Assignee: Ishan Chattopadhyaya >Priority: Blocker > Fix For: 8.4 > > Attachments: SOLR-13971.patch > > Time Spent: 20m > Remaining Estimate: 0h > > We need to disable this. There is a zero day attack in the wild. 41 stars on > this github project: > # https://github.com/jas502n/solr_rce > # https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133 > We need to disable this in a way that cannot be re-enabled using the Config > API. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13971) CVE-2019-17558: Velocity custom template RCE vulnerability
[ https://issues.apache.org/jira/browse/SOLR-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17010628#comment-17010628 ] Erik Hatcher commented on SOLR-13971: - It's important that these two JIRAs are tied. SOLR-14025 addresses the CVE fully, whereas this ticket's patch still had an exploitable pathway. > CVE-2019-17558: Velocity custom template RCE vulnerability > -- > > Key: SOLR-13971 > URL: https://issues.apache.org/jira/browse/SOLR-13971 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) >Affects Versions: 5.0, 5.5.5, 6.0, 6.6.5, 7.0, 7.7, 8.0, 8.3 >Reporter: Ishan Chattopadhyaya >Assignee: Ishan Chattopadhyaya >Priority: Blocker > Fix For: 8.4 > > Attachments: SOLR-13971.patch > > Time Spent: 20m > Remaining Estimate: 0h > > We need to disable this. There is a zero day attack in the wild. 41 stars on > this github project: > # https://github.com/jas502n/solr_rce > # https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133 > We need to disable this in a way that cannot be re-enabled using the Config > API. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Updated] (SOLR-13971) CVE-2019-17558: Velocity custom template RCE vulnerability
[ https://issues.apache.org/jira/browse/SOLR-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-13971: Security: Public (was: Private (Security Issue)) > CVE-2019-17558: Velocity custom template RCE vulnerability > -- > > Key: SOLR-13971 > URL: https://issues.apache.org/jira/browse/SOLR-13971 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) >Affects Versions: 5.0, 5.5.5, 6.0, 6.6.5, 7.0, 7.7, 8.0, 8.3 >Reporter: Ishan Chattopadhyaya >Assignee: Ishan Chattopadhyaya >Priority: Blocker > Fix For: 8.4 > > Attachments: SOLR-13971.patch > > > We need to disable this. There is a zero day attack in the wild. 41 stars on > this github project: > # https://github.com/jas502n/solr_rce > # https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133 > We need to disable this in a way that cannot be re-enabled using the Config > API. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Updated] (SOLR-14025) Velocity response writer RCE vulnerability persists after 8.3.1
[
https://issues.apache.org/jira/browse/SOLR-14025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Erik Hatcher updated SOLR-14025:
Security: Public (was: Private (Security Issue))
> Velocity response writer RCE vulnerability persists after 8.3.1
> ---
>
> Key: SOLR-14025
> URL: https://issues.apache.org/jira/browse/SOLR-14025
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: contrib - Velocity
>Affects Versions: 8.3.1
>Reporter: Ishan Chattopadhyaya
>Assignee: Erik Hatcher
>Priority: Blocker
> Fix For: 8.4
>
> Attachments: SOLR-14025.patch, SOLR-14025.patch, SOLR-14025.patch,
> SOLR-14025.patch, SOLR-14025.patch
>
>
> [~gezapeti] from Cloudera kindly reported this to me:
> {code}
> Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the
> Velocity templates. I’m working at Cloudera on Solr and have taken the time
> to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The
> sad thing is: It’s possible to upload a properties file into ZK and add the
> resource loaders in that file. I think we should add yet-an-other option to
> make the init-from-property file functionality off by default.
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73
> this property loads the file here
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73
> apache/lucene-solr
> | Added by GitHub
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141
> apache/lucene-solr
> | Added by GitHub
> {code}
> Seems like our mitigation wasn't good enough, there's another way to load
> resources.
> I've requested him to follow procedure here
> (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I
> opened this JIRA anyway.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14124) Implement `remove-repo` package manager command
[ https://issues.apache.org/jira/browse/SOLR-14124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17000273#comment-17000273 ] Erik Hatcher commented on SOLR-14124: - How should this respond when plugins are installed and possibly deployed? > Implement `remove-repo` package manager command > --- > > Key: SOLR-14124 > URL: https://issues.apache.org/jira/browse/SOLR-14124 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: Plugin system >Reporter: Erik Hatcher >Priority: Minor > > `bin/solr package remove-repo ` -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Created] (SOLR-14124) Implement `remove-repo` package manager command
Erik Hatcher created SOLR-14124: --- Summary: Implement `remove-repo` package manager command Key: SOLR-14124 URL: https://issues.apache.org/jira/browse/SOLR-14124 Project: Solr Issue Type: Improvement Security Level: Public (Default Security Level. Issues are Public) Components: Plugin system Reporter: Erik Hatcher `bin/solr package remove-repo ` -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Resolved] (SOLR-7012) add an ant target to package a plugin into a jar
[
https://issues.apache.org/jira/browse/SOLR-7012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Erik Hatcher resolved SOLR-7012.
Resolution: Won't Fix
this has been effectively implemented with the new package/plugin management
feature
> add an ant target to package a plugin into a jar
>
>
> Key: SOLR-7012
> URL: https://issues.apache.org/jira/browse/SOLR-7012
> Project: Solr
> Issue Type: Improvement
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Major
> Attachments: SOLR-7012-sdk.patch, SOLR-7012.patch, SOLR-7012.patch,
> SOLR-7012.patch
>
>
> Now it is extremely hard to create plugin because the user do not know about
> the exact dependencies and their poms
> we will add a target to solr/build.xml called plugin-jar
> invoke it as follows
> {code}
> ant -Dplugin.package=my.package -Djar.location=/tmp/my.jar plugin-jar
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14065) Deprecate Velocity
[
https://issues.apache.org/jira/browse/SOLR-14065?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16994796#comment-16994796
]
Erik Hatcher commented on SOLR-14065:
-
{quote}I’d love to see a small angular/react app instead that people could use
for rapid search UI prototyping.
{quote}
[Blacklight|https://projectblacklight.org] deserves a shout out here - it's an
open source, ASL'd, straightforward and super flexible user interface framework
for Solr.
> Deprecate Velocity
> --
>
> Key: SOLR-14065
> URL: https://issues.apache.org/jira/browse/SOLR-14065
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
>Reporter: Ishan Chattopadhyaya
>Priority: Major
> Fix For: 8.4
>
>
> Velocity response writer is not widely used. Let us deprecate velocity in 8.4
> and remove it in 9x or 10x.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14065) Deprecate Velocity
[ https://issues.apache.org/jira/browse/SOLR-14065?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16994794#comment-16994794 ] Erik Hatcher commented on SOLR-14065: - Regrettably +1: RIP Solritas. > Deprecate Velocity > -- > > Key: SOLR-14065 > URL: https://issues.apache.org/jira/browse/SOLR-14065 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Ishan Chattopadhyaya >Priority: Major > Fix For: 8.4 > > > Velocity response writer is not widely used. Let us deprecate velocity in 8.4 > and remove it in 9x or 10x. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13978) Remove bloat from default configset
[ https://issues.apache.org/jira/browse/SOLR-13978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16993664#comment-16993664 ] Erik Hatcher commented on SOLR-13978: - With the removal of /browse, you can also remove params.json (unless something else uses any of those paramsets, but I don't think so) > Remove bloat from default configset > --- > > Key: SOLR-13978 > URL: https://issues.apache.org/jira/browse/SOLR-13978 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Ishan Chattopadhyaya >Assignee: Ishan Chattopadhyaya >Priority: Blocker > Fix For: 8.4 > > Attachments: SOLR-13978.patch, SOLR-13978.patch > > > We need to review and remove all components that are not essential for > search, indexing and other core functionality. Velocity, DIH, etc. should be > reviewed. > (Marking this as a 8.4 release blocker). -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-13993) sandbox velocity template render
[ https://issues.apache.org/jira/browse/SOLR-13993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16987155#comment-16987155 ] Erik Hatcher commented on SOLR-13993: - Attached patch exercises the test security manager which does the trick (when run from `ant test`). Testing without the security manager (from IntelliJ) fails two of those tests appropriately. > sandbox velocity template render > > > Key: SOLR-13993 > URL: https://issues.apache.org/jira/browse/SOLR-13993 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > Attachments: SOLR-13993.patch > > > This thing seems dangerous :) > Making the whole solr secure is a whole nother thing: (see e.g. SOLR-13991 > and we haven't even gotten started). Its pretty difficult to convert whole > large app to work securely. It is going to take time. > In the meantime, if we have things that might do something dangerous, and > security manager is enabled, we can put them into a special little sandbox > and throw away the key: for example we can intentionally discard permissions > we don't need so they can't launch stuff, if we really don't trust them, we > can start filtering what classes classloader will load. > This isn't that crazy at all to do, e.g. your web browser does similar tricks > to try to sandbox specific parts that might do something unexpected and cause > security issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Updated] (SOLR-13993) sandbox velocity template render
[ https://issues.apache.org/jira/browse/SOLR-13993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Erik Hatcher updated SOLR-13993: Attachment: SOLR-13993.patch > sandbox velocity template render > > > Key: SOLR-13993 > URL: https://issues.apache.org/jira/browse/SOLR-13993 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) >Reporter: Robert Muir >Priority: Major > Attachments: SOLR-13993.patch > > > This thing seems dangerous :) > Making the whole solr secure is a whole nother thing: (see e.g. SOLR-13991 > and we haven't even gotten started). Its pretty difficult to convert whole > large app to work securely. It is going to take time. > In the meantime, if we have things that might do something dangerous, and > security manager is enabled, we can put them into a special little sandbox > and throw away the key: for example we can intentionally discard permissions > we don't need so they can't launch stuff, if we really don't trust them, we > can start filtering what classes classloader will load. > This isn't that crazy at all to do, e.g. your web browser does similar tricks > to try to sandbox specific parts that might do something unexpected and cause > security issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
