[
https://issues.apache.org/jira/browse/SOLR-1523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12779369#action_12779369
]
Noble Paul commented on SOLR-1523:
----------------------------------
bq....but i'm opposed to this idea as well. Any feature that purports to make
solr more "secure" just leaves us more open to risk
I cannot completely agree with this. There are different levels of security.
This one is not necessarily a security thing. This is just avoiding someone
inadvertently invoking some request handler and making a write operation. If by
configuration we can disallow GET for certain RequestHandlers I guess it should
be fine. This can make Solr server move from the "extremely vulnerable" to
"moderately vulnerable". For some users that should be just fine
> Destructive Solr operations accept HTTP GET requests
> -----------------------------------------------------
>
> Key: SOLR-1523
> URL: https://issues.apache.org/jira/browse/SOLR-1523
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 1.4
> Reporter: Lance Norskog
>
> GET v.s. POST/PUT/DELETE
> The multicore implementation allows HTTP GET requests to perform system
> administration commands. This means that an URL which alters the system can
> be bookmarked/e-mailed/etc. This is dangerous in a production system.
> A clean implementation should give every request handler the ability to
> accept some HTTP verbs and reject others. It could be just a boolean for
> whether it accepts a GET, or the interface might actually have a list of
> verbs it accepts.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
