Uwe, Here is the ticket https://issues.apache.org/jira/browse/SOLR-6801
It has an option to load a RequestHandler from a jar loaded by user By default the loading is feature is enabled We need to disable that by default unless it is enabled from command line system property Noble On Fri, Feb 13, 2015 at 2:32 PM, Anshum Gupta <[email protected]> wrote: > Hi Uwe, > > You could upload a jar to Solr via the blob handler and then register this > custom-handler via the configs API. > Anyone having http access to any solr node could potentially run malicious > code on all nodes. > > > On Fri, Feb 13, 2015 at 12:56 AM, Uwe Schindler <[email protected]> wrote: > >> Hi, >> >> >> >> What are we talking about? I just heard security, but no issue number or >> explanation what’s wrong! >> >> >> >> Uwe >> >> >> >> ----- >> >> Uwe Schindler >> >> H.-H.-Meier-Allee 63, D-28213 Bremen >> >> http://www.thetaphi.de >> >> eMail: [email protected] >> >> >> >> *From:* Shalin Shekhar Mangar [mailto:[email protected]] >> *Sent:* Friday, February 13, 2015 9:49 AM >> *To:* [email protected] >> *Subject:* Re: [VOTE] 5.0.0 RC2 >> >> >> >> This is serious enough to re-spin. I have to change my vote to -1 to >> release the current RC. >> >> On 13-Feb-2015 2:15 pm, "Noble Paul" <[email protected]> wrote: >> >> We should disable the dynamic loading by default . It's a security >> vulnerability and users should have to explicitly enable it in a system >> property. >> >> On Feb 13, 2015 6:47 AM, "Anshum Gupta" <[email protected]> wrote: >> >> Thank you everyone! This vote has passed and I'll start the process later >> tonight. >> >> >> >> >> >> On Mon, Feb 9, 2015 at 3:16 PM, Anshum Gupta <[email protected]> >> wrote: >> >> Please vote for the second release candidate for Lucene/Solr 5.0.0. >> >> >> >> The artifacts can be downloaded here: >> >> >> http://people.apache.org/~anshum/staging_area/lucene-solr-5.0.0-RC2-rev1658469 >> >> >> >> Or you can run the smoke tester directly with this command: >> >> python3.2 dev-tools/scripts/smokeTestRelease.py >> http://people.apache.org/~anshum/staging_area/lucene-solr-5.0.0-RC2-rev1658469 >> >> >> >> >> >> I could not get the above command to work as downloading some file or the >> other timed out for me (over 6 attempts) so I instead downloaded the entire >> RC as a tgz. I still have it here: >> >> >> >> >> http://people.apache.org/~anshum/staging_area/lucene-solr-5.0.0-RC2-rev1658469.tgz >> >> >> >> Untar the above folder at a location of choice. Do not change the name of >> the folder as the smokeTestRelease.py extracts information from that. >> >> >> >> and then instead of using http, used file://. Here's the command: >> >> >> >> python3.2 dev-tools/scripts/smokeTestRelease.py >> file://<path_to_the_extracted_folder> >> >> >> >> and finally, here's my +1: >> >> >> >> > SUCCESS! [0:30:50.246761] >> >> >> >> >> -- >> >> Anshum Gupta >> >> http://about.me/anshumgupta >> >> >> >> >> >> -- >> >> Anshum Gupta >> >> http://about.me/anshumgupta >> > > > > -- > Anshum Gupta > http://about.me/anshumgupta > -- ----------------------------------------------------- Noble Paul
