[
https://issues.apache.org/jira/browse/SOLR-1523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836500#comment-13836500
]
Jan Høydahl commented on SOLR-1523:
-----------------------------------
I'm tempted to close this as Won't fix, as it seems people are in general happy
with the APIs.
However, since we got the new Schema REST API we actually started doing admin
stuff with proper REST. I like that. Question is whether there is anything to
gain by re-writing the Cores API and the Collections API to use RestLet as
well, getting away with the {{action=CREATE}} kind of syntax and instead doing
it with POST/PUT. Perhaps for 5.0?
Another dangerous default is the solrconfig.xml {{<requestParsers>}} parameter
{{enableRemoteStreaming="true"}} which should pershaps default to {{false}}
from 4.7 or 5.0. It allows anyone to delete everything with a single GET...
> Destructive Solr operations accept HTTP GET requests
> -----------------------------------------------------
>
> Key: SOLR-1523
> URL: https://issues.apache.org/jira/browse/SOLR-1523
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 1.4, 3.6.2, 4.6
> Reporter: Lance Norskog
> Labels: security
>
> GET v.s. POST/PUT/DELETE
> The multicore implementation allows HTTP GET requests to perform system
> administration commands. This means that an URL which alters the system can
> be bookmarked/e-mailed/etc. This is dangerous in a production system.
> A clean implementation should give every request handler the ability to
> accept some HTTP verbs and reject others. It could be just a boolean for
> whether it accepts a GET, or the interface might actually have a list of
> verbs it accepts.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
