Really happy to see everyone's interest in supporting beginning users. I often feel protecting them is one really important aspect of supporting them.
There is a mechanism for disabling the Admin API by default. In SOLR-14014 <https://issues.apache.org/jira/browse/SOLR-14014> I added a flag for the start command. If you'd want it as a configuration option, that would be a new discussion but not a ton of code. It's an interesting thought, and I definitely want to do everything I can to support the evolution to a single API (v2) as the standard. Best, Marcus On Sat, Jul 23, 2022 at 10:38 AM Shawn Heisey <apa...@elyograg.org> wrote: > On 7/23/2022 9:41 AM, Gus Heck wrote: > > There is something of a risk to have a server that accepts non safe get > > requests. All these requests are contrary to the HTTP specification ( > > https://www.rfc-editor.org/rfc/rfc9110.html#section-9.2.1). > > If the only way to make certain things happen with a GET is via the > admin UI, then I think we can close that vector by turning the admin UI > off by default and requiring a config option to enable it, probably in > solr.xml. I think the configs we include should NOT have that option > enabled. > > As you know, every capability that the admin UI has can be accomplished > directly. Maybe not with just a browser, but any dedicated attacker > won't limit themselves to a browser. > > to another discussion (for a different email thread): Standardizing ALL > configs to the same format. We currently have a mix of xml, json, and > properties. > > Thanks, > Shawn > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > For additional commands, e-mail: dev-h...@solr.apache.org > > -- Marcus Eagan
