[
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16590784#comment-16590784
]
Jan Høydahl commented on SOLR-11495:
------------------------------------
I think we should keep them enabled as is, including xmlparser, and instead
focus on fixing security issues along the way as well as document how to
disable qparsers in “taking Solr to production” chapter.
> Reduce the list of which query parsers are loaded by default
> ------------------------------------------------------------
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: query parsers
> Affects Versions: 7.0
> Reporter: Shawn Heisey
> Priority: Major
>
> Virtually all of the query parsers that Solr supports are enabled by default,
> in a map created in QParserPlugin.java.
> To reduce the possible attack surface of a default Solr installation, I
> believe that the list of default parsers should be limited to a small handful
> of the full list that's available. I will discuss specific ideas for that
> list in comments.
> I think the bar should be very high for admission to the default parser list.
> That list should only include those that are most commonly used by the
> community. Only the most common parsers will have had extensive review for
> security issues.
> _Edit_: moved description from "Docs Text" field where it was initially added
> mistakenly.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
