[
https://issues.apache.org/jira/browse/SOLR-9623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16024472#comment-16024472
]
Jan Høydahl commented on SOLR-9623:
-----------------------------------
I was hoping that this would also disallow {{stream.body}} but it doesn't. In
fact there is no way to disable stream.body. Although useful in tests, I think
it is an anti pattern to be able to fake a POST request using GET, which is
what this allows in practice.
Anyone in favor of adding [the remoteStreaming
check|https://github.com/apache/lucene-solr/blob/0184d6b7f5ebbdcdf8faa085947da455fc1dc7ab/solr/core/src/java/org/apache/solr/servlet/SolrRequestParsers.java#L217-L227]
also for {{stream.body}}, or alternatively introducing a new requestParsers
attribute {{enableStreamBody}} which is also false by default?
> Disable remote streaming by default
> -----------------------------------
>
> Key: SOLR-9623
> URL: https://issues.apache.org/jira/browse/SOLR-9623
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Blocker
> Labels: configset
> Fix For: master (7.0)
>
> Attachments: SOLR-9623.patch, SOLR-9623.patch
>
>
> As we set more and more config settings suitable for production use, perhaps
> it is time to disable remoteStreaming by default, and document how to enable
> it.
> In all config sets, change into
> {code:xml}
> <requestParsers enableRemoteStreaming="${solr.remoteStreaming:false}"
> multipartUploadLimitInKB="2048000"
> formdataUploadLimitInKB="2048"
> addHttpRequestToContext="false"/>
> {code}
> And then consider adding support for it in solr.in.xxx
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
