[
https://issues.apache.org/jira/browse/SOLR-9623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16024611#comment-16024611
]
David Smiley commented on SOLR-9623:
------------------------------------
bq. Anyone in favor of adding the remoteStreaming check also for stream.body
Hmm. It seems these are separate concerns. Remote streaming is the concern
that you pull from a _remote_ service, and the caller gets to pick the URL
which is a security concern. But stream.body is actually related to a GET vs
POST issue, which should be handled separately. So I'm -0 on your suggestion.
All these security checks can be a bit of a downer (depressingly hobbled) for
local work. It'd be nice if these checks could be auto-disabled when issues
from localhost in non-SolrCloud. Ah well.
> Disable remote streaming by default
> -----------------------------------
>
> Key: SOLR-9623
> URL: https://issues.apache.org/jira/browse/SOLR-9623
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Blocker
> Labels: configset
> Fix For: master (7.0)
>
> Attachments: SOLR-9623.patch, SOLR-9623.patch, SOLR-9623.patch
>
>
> As we set more and more config settings suitable for production use, perhaps
> it is time to disable remoteStreaming by default, and document how to enable
> it.
> In all config sets, change into
> {code:xml}
> <requestParsers enableRemoteStreaming="${solr.remoteStreaming:false}"
> multipartUploadLimitInKB="2048000"
> formdataUploadLimitInKB="2048"
> addHttpRequestToContext="false"/>
> {code}
> And then consider adding support for it in solr.in.xxx
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
