Jan Høydahl created SOLR-10748:
----------------------------------
Summary: Disable stream.body by default
Key: SOLR-10748
URL: https://issues.apache.org/jira/browse/SOLR-10748
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Components: search
Reporter: Jan Høydahl
Fix For: master (7.0)
Spinoff from SOLR-9623
Today you can issue a HTTP request parameter {{stream.body}} which will by Solr
be interpreted as body content on the request, i.e. act as a POST request. This
is useful for development and testing but can pose a security risk in
production since users/clients with permission to to GET on various endpoints
also can post by {{using stream.body}}. The classic example is
{{&stream.body=<delete><query>*:*</query></delete>}}. And this feature cannot
be turned off by configuration, it is not controlled by
{{enableRemoteStreaming}}.
This jira will add a configuration option
{{requestDispatcher.requestParsers.enableStreamBody}} to the
{{<requestParsers>}} tag in solrconfig as well as to the Config API. I propose
to set the default value to **{{false}}**.
Apart from security concerns, this also aligns well with our v2 API effort
which tries to stick to the principle of least surprice in that GET requests
shall not be able to modify state. Developers should known how to do a POST
today :)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
