[
https://issues.apache.org/jira/browse/SOLR-10748?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-10748:
-------------------------------
Attachment: SOLR-10748.patch
Patch attached.
* Adds new {{enableStreamBody}} property to {{<requestParsers>}} element
* stream.body is disallowed by default, and throws SolrException "*Stream Body
is disabled.*"
* Explicitly enabled in some test solrconfig files since several tests rely on
stream.body
* In {{SolrRequestParsers.java}} the constructor defaults for
{{enableRemoteStreams}} was true and {{multipartUploadLimitKB}} and
{{formUploadLimitKB}} were 2048. Fixed these to align with SOLR-9623
* New test case {{TestStreamBody}} testing default value and setting
{{requestDispatcher.requestParsers.enableStreamBody}} through Config API. Moved
test {{TestRemoteStreaming.testQtUpdateFails}} here.
* RefGuide update
Related fixes also in this patch
* In {{TestConfigSetsAPI}}, removed unnecessary method {{xsltRequest}}. The 401
test is covered elsewhere
* Fixed an assert in {{TestSolrConfigHandler.runConfigCommand}} which would not
fail if response contained a key "errorMessages"
* Replaced some literal "stream.body" strings with {{CommonParams.STREAM_BODY}}
Tests and precommit passes.
> Disable stream.body by default
> ------------------------------
>
> Key: SOLR-10748
> URL: https://issues.apache.org/jira/browse/SOLR-10748
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: search
> Reporter: Jan Høydahl
> Labels: security, streaming
> Fix For: master (7.0)
>
> Attachments: SOLR-10748.patch
>
>
> Spinoff from SOLR-9623
> Today you can issue a HTTP request parameter {{stream.body}} which will by
> Solr be interpreted as body content on the request, i.e. act as a POST
> request. This is useful for development and testing but can pose a security
> risk in production since users/clients with permission to to GET on various
> endpoints also can post by {{using stream.body}}. The classic example is
> {{&stream.body=<delete><query>*:*</query></delete>}}. And this feature cannot
> be turned off by configuration, it is not controlled by
> {{enableRemoteStreaming}}.
> This jira will add a configuration option
> {{requestDispatcher.requestParsers.enableStreamBody}} to the
> {{<requestParsers>}} tag in solrconfig as well as to the Config API. I
> propose to set the default value to **{{false}}**.
> Apart from security concerns, this also aligns well with our v2 API effort
> which tries to stick to the principle of least surprice in that GET requests
> shall not be able to modify state. Developers should known how to do a POST
> today :)
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
