Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons 

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1713530 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joel Bernstein 2015-11-09 20:19:56 +00:00
parent be10d9e501
commit b4b7fce0fe
3 changed files with 37 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
solr/CHANGES.txt
View File

@ -354,6 +354,9 @@ Bug Fixes
* SOLR-8254: HttpSolrCore.getCoreByCollection() can throw NPE (Alan Woodward, * SOLR-8254: HttpSolrCore.getCoreByCollection() can throw NPE (Alan Woodward,
Mark Miller) Mark Miller)
* SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons
(Joel Bernstein)
Optimizations Optimizations
---------------------- ----------------------

17
solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml
View File

@ -870,9 +870,19 @@
</requestHandler> </requestHandler>
<!-- <!--
Distributed Stream processing.
--> Uncomment for distributed Stream processing (also required by the /sql handler in map_reduce mode).
SECURTIY WARNING: This feature uses Java Serialization for RPC (Remote Procedure Calls) to send executable
Java Objects to Worker nodes.
Solr also currently has apache commons-collections in it's classpath.
This makes Solr vulnerable to this security exploit:
https://issues.apache.org/jira/browse/COLLECTIONS-580.
<requestHandler name="/stream" class="solr.StreamHandler"> <requestHandler name="/stream" class="solr.StreamHandler">
<lst name="invariants"> <lst name="invariants">
@ -881,6 +891,7 @@
</lst> </lst>
</requestHandler> </requestHandler>
-->
<requestHandler name="/sql" class="solr.SQLHandler"> <requestHandler name="/sql" class="solr.SQLHandler">
<lst name="invariants"> <lst name="invariants">

28
solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml
View File

@ -899,15 +899,27 @@
<!-- <!--
Distributed Stream processing.
-->
<requestHandler name="/stream" class="solr.StreamHandler"> Uncomment for distributed Stream processing (also required by the /sql handler in map_reduce mode).
<lst name="invariants">
<str name="wt">json</str> SECURTIY WARNING: This feature uses Java Serialization for RPC (Remote Procedure Calls) to send executable
<str name="distrib">false</str> Java Objects to Worker nodes.
</lst>
</requestHandler> Solr also currently has apache commons-collections in it's classpath.
This makes Solr vulnerable to this security exploit:
https://issues.apache.org/jira/browse/COLLECTIONS-580.
<requestHandler name="/stream" class="solr.StreamHandler">
<lst name="invariants">
<str name="wt">json</str>
<str name="distrib">false</str>
</lst>
</requestHandler>
-->
<requestHandler name="/sql" class="solr.SQLHandler"> <requestHandler name="/sql" class="solr.SQLHandler">