[jira] [Comment Edited] (SOLR-13987) fix admin UI to not rely on javascript eval()

Wed, 04 Dec 2019 08:58:55 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16987994#comment-16987994
 ] 

Joel Bernstein edited comment on SOLR-13987 at 12/4/19 4:57 PM:
----------------------------------------------------------------

I have a question and a possible approach.

Is the main issue here that people *want* to expose Solr to the open internet, 
or that people may expose Solr to the open internet by mistake? Or is there 
some other concern about internal attacks?

Here is a suggestion that I would be willing to take on to resolve this 
specific security issue. The suggestion is have Solr start in "headless" modeĀ  
by default. This would effectively turn off the admin. But a flag could be used 
to turn on the admin at startup.

How do people feel about this suggestion?


was (Author: joel.bernstein):
I have a question and a possible approach.

Is the main issue here that people *want* to expose Solr to the open internet, 
or that people may expose Solr to the open internet by mistake? Is is there 
some other concern about internal attacks?

Here is a suggestion that I would be willing to take on to resolve this 
specific security issue. The suggestion is have Solr start in "headless" modeĀ  
by default. This would effectively turn off the admin. But a flag could be used 
to turn on the admin at startup.

How do people feel about this suggestion?

> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow 
> this eval: means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the 
> browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to