[jira] [Resolved] (SOLR-10748) Disable stream.body by default

Thu, 06 Jul 2017 06:06:37 -0700 

     [ 
https://issues.apache.org/jira/browse/SOLR-10748?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jan Høydahl resolved SOLR-10748.
--------------------------------
    Resolution: Fixed

Fixed. See 
http://lucene.apache.org/solr/guide/requestdispatcher-in-solrconfig.html for 
how to enable. Once 7.1 is released, that doc section will contain a cURL 
command :-)

> Disable stream.body by default
> ------------------------------
>
>                 Key: SOLR-10748
>                 URL: https://issues.apache.org/jira/browse/SOLR-10748
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: search
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>              Labels: security, streaming
>             Fix For: master (8.0), 7.1
>
>         Attachments: SOLR-10748.patch, SOLR-10748.patch
>
>
> Spinoff from SOLR-9623
> Today you can issue a HTTP request parameter {{stream.body}} which will by 
> Solr be interpreted as body content on the request, i.e. act as a POST 
> request. This is useful for development and testing but can pose a security 
> risk in production since users/clients with permission to to GET on various 
> endpoints also can post by {{using stream.body}}. The classic example is 
> {{&stream.body=<delete><query>*:*</query></delete>}}. And this feature cannot 
> be turned off by configuration, it is not controlled by 
> {{enableRemoteStreaming}}.
> This jira will add a configuration option 
> {{requestDispatcher.requestParsers.enableStreamBody}} to the 
> {{<requestParsers>}} tag in solrconfig as well as to the Config API. I 
> propose to set the default value to **{{false}}**.
> Apart from security concerns, this also aligns well with our v2 API effort 
> which tries to stick to the principle of least surprice in that GET requests 
> shall not be able to modify state. Developers should known how to do a POST 
> today :)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to