Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons 

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1713530 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joel Bernstein 2015-11-09 20:19:56 +00:00
parent be10d9e501
commit b4b7fce0fe
3 changed files with 37 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
solr/CHANGES.txt
View File

@ -354,6 +354,9 @@ Bug Fixes
* SOLR-8254: HttpSolrCore.getCoreByCollection() can throw NPE (Alan Woodward, * SOLR-8254: HttpSolrCore.getCoreByCollection() can throw NPE (Alan Woodward,
Mark Miller) Mark Miller)
* SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons
(Joel Bernstein)
Optimizations Optimizations
---------------------- ----------------------

15
solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml
View File

@ -871,8 +871,18 @@
<!-- <!--
Distributed Stream processing.
--> Uncomment for distributed Stream processing (also required by the /sql handler in map_reduce mode).
SECURTIY WARNING: This feature uses Java Serialization for RPC (Remote Procedure Calls) to send executable
Java Objects to Worker nodes.
Solr also currently has apache commons-collections in it's classpath.
This makes Solr vulnerable to this security exploit:
https://issues.apache.org/jira/browse/COLLECTIONS-580.
<requestHandler name="/stream" class="solr.StreamHandler"> <requestHandler name="/stream" class="solr.StreamHandler">
<lst name="invariants"> <lst name="invariants">
@ -881,6 +891,7 @@
</lst> </lst>
</requestHandler> </requestHandler>
-->
<requestHandler name="/sql" class="solr.SQLHandler"> <requestHandler name="/sql" class="solr.SQLHandler">
<lst name="invariants"> <lst name="invariants">

16
solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml
View File

@ -899,8 +899,18 @@
<!-- <!--
Distributed Stream processing.
--> Uncomment for distributed Stream processing (also required by the /sql handler in map_reduce mode).
SECURTIY WARNING: This feature uses Java Serialization for RPC (Remote Procedure Calls) to send executable
Java Objects to Worker nodes.
Solr also currently has apache commons-collections in it's classpath.
This makes Solr vulnerable to this security exploit:
https://issues.apache.org/jira/browse/COLLECTIONS-580.
<requestHandler name="/stream" class="solr.StreamHandler"> <requestHandler name="/stream" class="solr.StreamHandler">
<lst name="invariants"> <lst name="invariants">
@ -909,6 +919,8 @@
</lst> </lst>
</requestHandler> </requestHandler>
-->
<requestHandler name="/sql" class="solr.SQLHandler"> <requestHandler name="/sql" class="solr.SQLHandler">
<lst name="invariants"> <lst name="invariants">